- 1MyBatis复杂映射开发之多对多查询
- 2C++(1): std::vector的使用
- 3Android开发中,JDK版本,Gradle版本,Kotlin插件与Kotlin版本等各自对应关系_android kotlin gradle 对应版本
- 4一个不兼容的软件尝试与microsoft edge_winhafnt64.dll
- 5[python]批量修改xml中属性及字段的实现_python批量修改xml属性值
- 6【C++】构造函数_定义构造函数student(string name, course[] courses)初始化实例变
- 7Day22:安全开发-PHP应用&留言板功能&超全局变量&数据库操作&第三方插件引用
- 8【WinForm详细教程三】WinForm中的NumericUpDown、PictureBox、RichTextBox及三种Timer控件_怎么判断numericupdown是点击触发还是其它触发
- 9Node.js常用命令_node进入目录命令
- 10Metasploit——辅助模块(Auxiliary)_使用metasploit的scanner模块
Kubernetes dashboard1.8.0 WebUI安装与配置_anonymous-auth在哪里配置
赞
踩
kubernetes-dashboard.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- addonmanager.kubernetes.io/mode: Reconcile
- name: kubernetes-dashboard
- namespace: kube-system
- ---
- apiVersion: apps/v1beta2
- kind: Deployment
- metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
- spec:
- selector:
- matchLabels:
- k8s-app: kubernetes-dashboard
- template:
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- spec:
- serviceAccountName: kubernetes-dashboard
- containers:
- - name: kubernetes-dashboard
- image: 10.0.11.222:5000/bigdata/kubernetes-dashboard-amd64:v1.8.0
- resources:
- limits:
- cpu: 100m
- memory: 300Mi
- requests:
- cpu: 100m
- memory: 100Mi
- ports:
- - containerPort: 8443
- protocol: TCP
- args:
- - --auto-generate-certificates
- volumeMounts:
- - name: kubernetes-dashboard-certs
- mountPath: /certs
- - name: tmp-volume
- mountPath: /tmp
- livenessProbe:
- httpGet:
- scheme: HTTPS
- path: /
- port: 8443
- initialDelaySeconds: 30
- timeoutSeconds: 30
- volumes:
- - name: kubernetes-dashboard-certs
- secret:
- secretName: kubernetes-dashboard-certs
- - name: tmp-volume
- emptyDir: {}
- serviceAccountName: kubernetes-dashboard
- tolerations:
- - key: "CriticalAddonsOnly"
- operator: "Exists"
- ---
- apiVersion: v1
- kind: Service
- metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
- spec:
- type: NodePort
- selector:
- k8s-app: kubernetes-dashboard
- ports:
- - port: 443
- targetPort: 8443
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
spec.containers.image:填写dashboard的镜像路径。我这里填写的是本地私有库的dashboard镜像。大家可以通过docker search查询1.8.0版本的dashboard。
spec.containers.args:此处填写的是一些参数,由于我的kubernetes1.8.0是通过HTTPS安全验证的安装,访问的是http://masterip:6443,因此,此处我填写了- --auto-generate-certificates,用以自动生成dashboard证书,此处不需要填写apiserver地址。
kubernetes-rbac.yaml
因为kubernetes1.8.0开启了 RBAC 所以这里需要创建一个 RBAC 认证。
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: kubernetes-dashboard
- namespace: kube-system
-
- ---
-
- kind: ClusterRoleBinding
- apiVersion: rbac.authorization.k8s.io/v1beta1
- metadata:
- name: kubernetes-dashboard
- subjects:
- - kind: ServiceAccount
- name: kubernetes-dashboard
- namespace: kube-system
- roleRef:
- kind: ClusterRole
- name: cluster-admin
- apiGroup: rbac.authorization.k8s.io
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
dashboard安装启动
kubernetes-dashboard-certs创建
新建一个空目录:certs,然后执行下面命令:
kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system- 1
将上面两个文件kubernetes-dashboard.yaml、kubernetes-rbac.yaml放置到同一个目录,该目录只要这两个文件,然后执行下面的命令:
安装启动
- # 读取当前目录配置文件进行安装启动
- kubectl apply -f .
- 1
- 2
查看pod
查看namespace为kube-system下的pod
- kubectl get pods --namespace="kube-system"
-
-
- NAME READY STATUS RESTARTS AGE
- kubernetes-dashboard-77bd6c79b-sc5wb 1/1 Running 1 56m
- 1
- 2
- 3
- 4
- 5
查看指定pod详情
pods/后面跟指定pod name
kubectl describe pods/kubernetes-dashboard-77bd6c79b-sc5wb --namespace="kube-system" - 1
由于详情过多,此处截图只展示部分信息:
查看dashboard界面
访问以下链接(1.8.0访问 https://masterip:6443/ui 无法访问):
https://MasterIP:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/- 1
MasterIP:kubernetes集群master节点ip
kubernetes-dashboard界面:
出现的问题
首次安装,如果没有做apiserver参数配置,则可能会出现一些问题。下面就看下常见问题的解决方法
system:anonymous问题
访问dashboard网页时,可能出现下面这种报错:
- {
- "kind": "Status",
- "apiVersion": "v1",
- "metadata": {
-
- },
- "status": "Failure",
- "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
- "reason": "Forbidden",
- "details": {
- "name": "https:kubernetes-dashboard:",
- "kind": "services"
- },
- "code": 403
- }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
Kubernetes API Server新增了–anonymous-auth选项,允许匿名请求访问secure port。没有被其他authentication方法拒绝的请求即Anonymous requests, 这样的匿名请求的username为system:anonymous, 归属的组为system:unauthenticated。并且该选线是默认的。这样一来,当采用chrome浏览器访问dashboard UI时很可能无法弹出用户名、密码输入对话框,导致后续authorization失败。为了保证用户名、密码输入对话框的弹出,需要将–anonymous-auth设置为false。
解决方法:
在api-server配置文件中添加--anonymous-auth=false
- vi /etc/systemd/system/kube-apiserver.service
-
- [Unit]
- Description=Kubernetes API Server
- Documentation=https://github.com/GoogleCloudPlatform/kubernetes
- After=network.target
-
- [Service]
- User=root
- ExecStart=/usr/local/bin/kube-apiserver \
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
- --advertise-address=10.0.11.222 \
- --allow-privileged=true \
- --apiserver-count=3 \
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml \
- --audit-log-maxage=30 \
- --audit-log-maxbackup=3 \
- --audit-log-maxsize=100 \
- --audit-log-path=/var/log/kubernetes/audit.log \
- --authorization-mode=Node,RBAC \
- --anonymous-auth=false \ # 不接受匿名访问,若为true,则表示接受,此处设置为false,便于dashboard访问
- --bind-address=0.0.0.0 \
- --secure-port=6443 \
- --client-ca-file=/etc/kubernetes/ssl/ca.pem \
- --enable-swagger-ui=true \
- --etcd-cafile=/etc/kubernetes/ssl/ca.pem \
- --etcd-certfile=/etc/kubernetes/ssl/etcd.pem \
- --etcd-keyfile=/etc/kubernetes/ssl/etcd-key.pem \
- --etcd-servers=https://10.0.11.222:2379 \
- --event-ttl=1h \
- --kubelet-https=true \
- --insecure-bind-address=127.0.0.1 \
- --insecure-port=8080 \
- --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
- --service-cluster-ip-range=10.254.0.0/16 \
- --service-node-port-range=30000-32000 \
- --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
- --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
- --enable-bootstrap-token-auth \
- --token-auth-file=/etc/kubernetes/token.csv \
- --v=2
- Restart=on-failure
- RestartSec=5
- Type=notify
- LimitNOFILE=65536
-
- [Install]
- WantedBy=multi-user.target
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
Unauthorized问题
解决了上面那个问题之后,再度访问dashboard页面,发现还是有问题,出现下面这个问题:
- {
- "kind": "Status",
- "apiVersion": "v1",
- "metadata": {
-
- },
- "status": "Failure",
- "message": "Unauthorized",
- "reason": "Unauthorized",
- "code": 401
- }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
解决方法:
新建/etc/kubernetes/basic_auth_file文件,并在其中添加:
admin,admin,1002- 1
文件内容格式:password,username,uid
然后在api-server配置文件(即上面的配置文件)中添加--basic-auth-file=/etc/kubernetes/basic_auth_file \
保存重启kube-apiserver:
- systemctl daemon-reload
- systemctl enable kube-apiserver
- systemctl start kube-apiserver
- systemctl status kube-apiserver
- 1
- 2
- 3
- 4
最后在kubernetes上执行下面这条命令:
kubectl create clusterrolebinding login-dashboard-admin --clusterrole=cluster-admin --user=admin- 1
将访问账号名admin与kubernetes-rbac.yaml文件中指定的cluster-admin关联,获得访问权限。
getsockopt: connection timed out’问题
如果安装的docker版本为1.13及以上,并且网络畅通,flannel、etcd都正常,但还是会出现getsockopt: connection timed out'的错误,则可能是iptables配置问题。具体问题:
Error: 'dial tcp 10.233.50.3:8443: getsockopt: connection timed out- 1
docker从1.13版本开始,可能将iptables FORWARD chain的默认策略设置为DROP,从而导致ping其他Node上的Pod IP失败,遇到这种问题时,需要手动设置策略为ACCEPT:
sudo iptables -P FORWARD ACCEPT- 1
使用iptables -nL命令查看,发现Forward的策略还是drop,可是我们明明执行了iptables -P FORWARD ACCEPT。原来,docker是在这句话执行之后启动的,需要每次在docker之后再执行这句话。。。这么做有点太麻烦了,所以我们修改下docker的启动脚本:
- vi /usr/lib/systemd/system/docker.service
-
-
- [Service]
- Type=notify
- # the default is not to use systemd for cgroups because the delegate issues still
- # exists and systemd currently does not support the cgroup feature set required
- # for containers run by docker
-
- ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS $DOCKER_DNS_OPTIONS
-
- # 添加这行操作,在每次重启docker之前都会设置iptables策略为ACCEPT
- ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
-
- ExecReload=/bin/kill -s HUP $MAINPID
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
在启动文件中的 [Service] 下添加一行配置,即上面代码中的配置即可。
然后重启docker,再次查看dashboard网页。
参考文章:
1. 解决Kubernetes 1.6.4 Dashboard无法访问的问题
2. Kubernetes集群Dashboard插件安装
3. 解决Centos7下Kubernetes(k8s)部署好之后无法访问dashboard
