K8s dashboard
修改权限kubernetes-dashboard.yaml 中的权限设置:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding #1RoleBinding修改为ClusterRoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole # 替换为 ClusterRole
name: cluster-admin # 替换为 cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system获取token
在master节点下执行命令
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token访问地址
必须https:// IP:端口 同时必须是在firefox浏览器下才支持的
认证有两种方式:
- 通过我们刚刚获取的token直接认证
- 通过Kubeconfig文件认证 只需要在kubeadm生成的admin.conf文件末尾加上刚刚获取的token就好了。 - name: kubernetes-admin user: client-certificate-data: xxxxxxxx client-key-data: xxxxxx token: "在这里加上token"
监控组件Heapster的安装
1.下载官方提供的yaml文件
# 新建文件夹,用于存放 Heapster 部署所需的 yaml 文件mkdir heapster
cd heapster# 获取相关 yaml 文件wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml
注意需要修改yaml文件中的镜像的地址2.修改 heaspster.yaml的文件
spec:
replicas: 1
selector:
matchLabels:
k8s-app: heapster
template:
metadata:
labels:
task: monitoring
k8s-app: heapster
spec:
serviceAccountName: heapster
containers:
- name: heapster
# image: k8s.gcr.io/heapster-amd64:v1.5.4 将默认google的官方镜像替换为阿里云镜像,否则你懂得
image: registry.cn-hangzhou.aliyuncs.com/google_containers/heapster-amd64:v1.5.4
command:
- /heapster
- --source=kubernetes:https://kubernetes.default?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250&insecure=true ## 此处 如果使用kubeadmn 安装一定要改一下端口
####################
heapster 启动参数说明:
inClusterConfig - Use kube config in service accounts associated with Heapster's namespace. (default: true)
kubeletPort - kubelet port to use (default: 10255)
kubeletHttps - whether to use https to connect to kubelets (default: false)
insecure - whether to trust Kubernetes certificates (default: false)
auth - client auth file to use. Set auth if the service accounts are not usable.
useServiceAccount - whether to use the service account token if one is mounted at /var/run/secrets/kubernetes.io/serviceaccount/token (default: false)3. 直接部署yaml
kubectl create -f .4. 可能出现heapster的收集不到数据的过程 此处是权限不足的问题
修改ClusterRole: system:heapster的权限:
1. 查看system:heapster yaml格式, 保存为 heapster-clusterrole.yaml
yaml
[root@node01 heapster-yaml]# kubectl get clusterrole system:heapster -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"labels":{"kubernetes.io/bootstrapping":"rbac-defaults"},"name":"system:heapster","namespace":""},"rules":[{"apiGroups":[""],"resources":["events","namespaces","nodes","pods","nodes/stats"],"verbs":["create","get","list","watch"]},{"apiGroups":["extensions"],"resources":["deployments"],"verbs":["get","list","watch"]}]}
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-08-26T02:26:14Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:heapster
resourceVersion: "139000"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Aheapster
uid: 67ef3689-a8d7-11e8-a891-000c29b52823
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- nodes
- pods
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- watch2. 添加Resource: nodes/stats的create权限,并执行 kubectl apply -f heapster-clusterrole.yaml
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:heapster
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- nodes
- pods
- nodes/stats
verbs:
- create
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- watch3. 删除heapster重新部署
kubectl delete -f heapster.yaml
kubectl apply -f heapster.yaml
可视化 - Gafana 面板
修改
前面省略,最后几行改为如下内容
ports:
- port: 80
targetPort: 3000
nodePort: 31112
selector:
k8s-app: grafana
type: NodePort
#######################
2、访问 Grafana
地址:http://<Your-IP>:31112/
注意:此处是 http 不是 https本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
容器服务
腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。
腾讯云开发者
