[TOC] ## 安裝metrics-server **下載yaml文件** ```shell mkdir ~/metrics-server && cd ~/metrics-server curl -o metrics-server.yaml https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.5.2/components.yaml cat <<'EOF' | tee metrics-server.yaml > /dev/null apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: system:aggregated-metrics-reader rules: - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server name: system:metrics-server rules: - apiGroups: - "" resources: - pods - nodes - nodes/stats - namespaces - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: ports: - name: https port: 443 protocol: TCP targetPort: https selector: k8s-app: metrics-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: selector: matchLabels: k8s-app: metrics-server strategy: rollingUpdate: maxUnavailable: 0 template: metadata: labels: k8s-app: metrics-server spec: containers: - args: - --cert-dir=/tmp - --secure-port=4443 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s image: k8s.gcr.io/metrics-server/metrics-server:v0.5.2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 name: metrics-server ports: - containerPort: 4443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 resources: requests: cpu: 100m memory: 200Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /tmp name: tmp-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server volumes: - emptyDir: {} name: tmp-dir --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: k8s-app: metrics-server name: v1beta1.metrics.k8s.io spec: group: metrics.k8s.io groupPriorityMinimum: 100 insecureSkipTLSVerify: true service: name: metrics-server namespace: kube-system version: v1beta1 versionPriority: 100 EOF ``` **修改配置文件** 1.修改 metrics-server 容器中的 deployment.spec.template.spec.containers.args 的參數 ```shell - args: - --cert-dir=/tmp - --secure-port=4443 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --kubelet-insecure-tls # 添加的 2. 修改鏡像地址 sed -ri 's@(image:).*@\1 bitnami/metrics-server:0.5.2@g' metrics-server.yaml ``` 2.kube-apiserver?服務開啟?API?聚合功能 ```shell # /usr/lib/systemd/system/kube-apiserver.service 添加以下內容 ## 默認已開啟。如果未開啟，證書生成請參看《二進制安裝基礎組件》文章 --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt \ --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key \ --requestheader-allowed-names=front-proxy-client \ --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt \ --requestheader-extra-headers-prefix=X-Remote-Extra- \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User \ ``` 參數說明： > --requestheader-allowed-names：?允許訪問的客戶端?common?names?列表，通過?header?中?–requestheader-username-headers?參數指定的字段獲取。客戶端?common?names?的名稱需要在?client-ca-file?中進行設置，將其設置為空值時，表示任意客戶端都可訪問。 > --requestheader-username-headers：?參數指定的字段獲取。 > --requestheader-group-headers?請求頭中需要檢查的組名。 > --requestheader-extra-headers-prefix：?請求頭中需要檢查的前綴名。 > --requestheader-username-headers?請求頭中需要檢查的用戶名。 > --requestheader-client-ca-file：?客戶端CA證書。 > --proxy-client-cert-file：?在請求期間驗證Aggregator的客戶端CA證書。 > --proxy-client-key-file：?在請求期間驗證Aggregator的客戶端私鑰。 > --enable-aggregator-routing=true??如果?kube-apiserver?所在的主機上沒有運行?kube-proxy，即無法通過服務的?ClusterIP?進行訪問，那么還需要設置以下啟動參數 3.重啟kube-apiserver服務 ```shell systemctl daemon-reload && systemctl restart kube-apiserver ``` **部署metrics-server** ```shell cd ~/metrics-server kubectl apply -f metrics-server.yaml ``` >?如果出現拉取鏡像失敗的話,可以更換倉庫地址 >?修改?metrics-server.yaml,?將?`k8s.gcr.io/metrics-server/metrics-server:v0.5.2`?修改成?`bitnami/metrics-server:0.5.2` ## 部署dashboard **下載dashboard.yaml文件** ```shell $ mkdir ~/dashboard && cd ~/dashboard $ curl -o dashboard.yaml https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended.yaml ``` **修改dashboard.yml** ```yaml kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 nodePort: 30088 #添加 type: NodePort #添加 selector: k8s-app: kubernetes-dashboard ``` > 添加兩個參數?`nodePort`??、`type`?。請仔細看配置文件，有兩個?Service?配置文件。 **部署dashboard** ```shell $ kubectl apply -f dashboard.yaml ``` **創建?sa?并綁定cluster-admin** ```shell $ kubectl create serviceaccount dashboard-admin -n kube-system $ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin ``` **驗證** ```shell $ kubectl get pod -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE dashboard-metrics-scraper-78f5d9f487-8gn6n 1/1 Running 0 5m47s kubernetes-dashboard-7d8574ffd9-cgwvq 1/1 Running 0 5m47s ``` **獲取token** ```shell $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep dashboard-admin | awk '{print $1}') Name: dashboard-admin-token-dw4zw Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: 50d8dc6a-d75c-41e3-b9a6-82006d0970f9 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1314 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPZEgtUlJLQ3lReG4zMlEtSm53UFNsc09nMmQ0YWVOWFhPbEUwUF85aEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tZHc0enciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTBkOGRjNmEtZDc1Yy00MWUzLWI5YTYtODIwMDZkMDk3MGY5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.sgEroj26ANWX1PzzEMZlCIa1ZxcPkYuP5xolT1L6DDdlaJFteaZZffOqv3hIGQBSUW02n6-nZz4VvRZAitrcA9BCW2VPlqHiQDE37UueU8UE1frQ4VtUkLXAKtMc7CUgHa1stod51LW2ndIKiwq-qWdNC1CQA0KsiBi0t2mGgjNQSII9-7FBTFruDwHUp6RRRqtl_NUl1WQanhHOPXia5wScfB37K8MVB0A4jxXIxNCwpd7zEVp-oQPw8XB500Ut94xwUJY6ppxJpnzXHTcoNt6ClapldTtzTY-HXzy0nXv8QVDozTXC7rTX7dChc1yDjMLWqf-KwT1ZYrKzk-2RHg ``` > 輸出的一大串字符串就是所需的?`token`