Shulou(Shulou.com)06/02 Report--

K8S uses dashboard to manage clusters

At the company's internal K8s training meeting in March this year, developer colleagues said that using dashboard can meet daily development needs, such as checking pod logs, executing exec instructions, checking the running status of pod, etc., but expressed concern about the authority control of basic certification.

I previously introduced the deployment of dashboard services on version 1.5.2, and the RBAC configuration and usage skills of dashboard services in offline deployment of version 1.9.1. Therefore, on the basis of the previous article, this paper will improve the integration of Heapster and use token to control user rights.

The main characteristics of dashboard are as follows:

1. The operation and log information of k8s components such as rc, deployment, pod, services and so on can be seen directly.

2. After combining heapster and influxdb, the cpu and memory consumption of pod can be seen on the monitoring chart of dashboard.

Heapster introduction

1. Heapster is a container cluster monitoring and performance analysis tool that supports Kubernetes and CoreOS.

2. The implementation of the HPA function of K8S cluster depends on these metric data. HPA takes Heapster as Resource Metrics API and obtains metric from it.

3. Kubernetes has a cAdvisor monitor (in version 1.9, cAdvisor has been integrated with kubelet).

CAdvisor is run on each kubernetes Node, and it collects monitoring data (cpu,memory,filesystem,network,uptime) for both the native and the container. Heapster is a collector. Heapster can collect cAdvisor data on Node nodes, summarize the data of cAdvisor on each Node, and aggregate resources according to the resource type of kubernetes, such as Pod and Namespace, and obtain their CPU, memory, network and disk metric respectively. The default metric data aggregation interval is 1 minute. You can also import data into third-party tools such as InfluxDB.

Introduction to Influxdb database

2. For an introduction to Influxdb database, please refer to the document: https://www.jianshu.com/p/d2935e99006e.

2. If there is no need to persist the metric data collected by Heapster, the Influxdb database can not be configured.

3. The storage of the Influxdb database in this paper is realized by emptydir. In the actual use, you can choose to deploy the Influxdb database outside the K8s cluster, or use other storage schemes.

4. If necessary, you can also integrate a grafana to do web presentation. For more information on Grafana configuration, please see the document: https://blog.51cto.com/ylw6006/2084403

1. Obtain relevant images

Scientific access to the Internet is required to obtain dashboard-related image files, and the warehouse can be integrated into the unified management of the local warehouse.

# cat / etc/systemd/system/docker.service.d/http-proxy.conf [Service] Environment= "HTTP_PROXY= http://192.168.115.2:1080"# systemctl daemon-reload# systemctl restart docker# docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3# docker pull k8s.gcr.io/heapster-influxdb-amd64:v1.3.3# docker pull k8s.gcr.io/heapster-amd64:v1.4.2

Prepare the configuration file

1. K8s-dashborad-sa.yaml file, secrct and serviceaccount configuration

# cat k8s-dashborad-sa.yaml #-Dashboard Secret-# apiVersion: v1kind: Secretmetadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kube-systemtype: Opaque---#-Dashboard Service Account- -# apiVersion: v1kind: ServiceAccountmetadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system

2. K8s-dashborad-rbac.yaml file, configuring Role and Role Binding

# cat k8s-dashborad-rbac.yaml #-Dashboard Role & Role Binding-# kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: kubernetes-dashboard-minimal namespace: kube-systemrules: # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.- apiGroups: [""] resources: ["secrets"] verbs : ["create"] # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.- apiGroups: [""] resources: ["configmaps"] verbs: ["create"] # Allow Dashboard to get Update and delete Dashboard exclusive secrets.- apiGroups: ["] resources: [" secrets "] resourceNames: [" kubernetes-dashboard-key-holder "," kubernetes-dashboard-certs "] verbs: [" get "," update "," delete "] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: ["] resources: [" configmaps "] resourceNames: [" kubernetes-dashboard-settings "] verbs: [" get " "update"] # Allow Dashboard to get metrics from heapster.- apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"]-apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:" "https:heapster:"] verbs: ["get"]-apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: kubernetes-dashboard-minimal namespace: kube-systemroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard-minimalsubjects:- kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system

3. K8s-dashborad-deployment.yaml configuration file, which defines the template and number of copies used to create the pod.

# cat k8s-dashborad-deployment.yaml #-Dashboard Deployment-# kind: DeploymentapiVersion: apps/v1beta2metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-systemspec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: K8s-app: kubernetes-dashboard spec: containers:-name: kubernetes-dashboard image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3 ports:-containerPort: 8443 protocol: TCP args:-auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. #-apiserver-host= http://my-address:port volumeMounts:-name: kubernetes-dashboard-certs mountPath: / certs # Create on-disk volume to store exec logs-mountPath: / tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 InitialDelaySeconds: 30 timeoutSeconds: 30 volumes:-name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs-name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard # Comment the following tolerations if Dashboard must not be deployed on master tolerations:-key: node-role.kubernetes.io/master effect: NoSchedule

4. K8s-dashborad-service.yaml configuration file, which defines service

# cat k8s-dashborad-service.yaml #-Dashboard Service-# kind: ServiceapiVersion: v1metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-systemspec: ports:-port: 443 targetPort: 8443 nodePort: 8490 type: NodePort selector: k8s-app: kubernetes-dashboard III. Create dashboard# kubectl create-f. # kubectl get pod from a configuration file Deployment,svc-n kube-system

4. Configure to use basic authentication method

Only kubeconfig and token authentication are supported by default

# echo 'admin,admin,1' > / etc/kubernetes/basic_auth_file # grep' auth' / usr/lib/systemd/system/kube-apiserver.service-- authorization-mode=Node RBAC\-runtime-config=rbac.authorization.k8s.io/v1alpha1\-enable-bootstrap-token-auth=true\-token-auth-file=/etc/kubernetes/token.csv\-basic-auth-file=/etc/kubernetes/basic_auth_file\ # grep 'basic' k8s-dashborad-deployment.yaml (configured under args)-authentication-mode=basic# systemctl daemon-reload# systemctl restart kube-apiserver # kubectl apply-f k8s-dashborad-deployment.yaml

Bind admin users to cluter-admin role roles

# curl-- insecure https://vm1:6443-basic-u admin:admin # kubectl create clusterrolebinding\ login-on-dashboard-with-cluster-admin\-- clusterrole=cluster-admin-- user=admin# curl-- insecure https://vm1:6443-basic-u admin:admin

5. Access testing

VI. Integrate heapster and influxdb

Metric information for pod is not available without configuring heapster and influxdb, and the HPA feature of the previous version of K8S depends on metric data sources that happen to be heapster and influxdb.

1. Prepare the yaml configuration file

# cat heapster-sa.yaml apiVersion: v1kind: ServiceAccountmetadata: name: heapster namespace: kube-system# cat heapster-rbac.yaml kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: heapsterroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:heapstersubjects:- kind: ServiceAccount name: heapster namespace: kube-system# cat heapster-deployment.yaml apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: heapster namespace: kube-systemspec: replicas: 1 template: metadata: labels: Task: monitoring k8s-app: heapster spec: serviceAccountName: heapster containers:-name: heapster image: k8s.gcr.io/heapster-amd64:v1.4.2 imagePullPolicy: IfNotPresent command:-/ heapster- source=kubernetes: https://kubernetes.default-sink=influxdb: http://monitoring-influxdb.kube-system.svc:8086# cat heapster-service .yaml apiVersion: v1kind: Servicemetadata: labels: task: monitoring kubernetes.io/cluster-service: 'true' kubernetes.io/name: Heapster name: heapster namespace: kube-systemspec: ports:-port: 80 targetPort: 8082 selector:k8s-app: heapster# cat influxdb-deployment.yaml apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: monitoring-influxdb namespace: kube-systemspec: replicas: 1 template: metadata: labels: task: monitoring k8s -app: influxdb spec: containers:-name: influxdb image: k8s.gcr.io/heapster-influxdb-amd64:v1.3.3 volumeMounts:-mountPath: / data name: influxdb-storage volumes:-name: influxdb-storage emptyDir: {} # cat influxdb-service.yaml apiVersion: v1kind: Servicemetadata: labels: task: monitoring kubernetes.io/cluster-service: 'true 'kubernetes.io/name: monitoring-influxdb name: monitoring-influxdb namespace: kube-systemspec: ports:-port: 8086 targetPort: 8086 selector: k8s-app: influxdb

Get the supported metrics in heapster

# kubectl run-I-tty curl--namespace=kube-system\-image=registry.59iedu.com/webwurst/curl-utils / bin/sh # curl http://heapster/api/v1/model/metrics# curl http://heapster/api/v1/model/debug/allkeys

# kubectl get node # kubectl top node

When heapster and influxdb pod are running normally, you can see the monitoring data of CPU and memory in dashboard.

7. Configure user permissions

1. Delete the configuration related to basic authentication in apiserver and restart apiserver.

-- basic-auth-file=/etc/kubernetes/basic_auth_file

# systemctl daemon-reload# systemctl restart kube-apiserver

2. Delete clusterrolebinding

# kubectl delete clusterrolebinding login-on-dashboard-with-cluster-admin

3. Modify k8s-dashborad-deployment.yaml file

Remove the-authentication-mode=basic parameter

4. Create ordinary users and grant get, watch and list permissions to all resources under namespace.

Here, get, watch and list permissions are granted to all namespace-related resources through clusterrole and culsterrolebinding. In the actual application environment, it is recommended to specify specific namespace-related resource permissions by creating role and rolebinding. The rules for assigning permissions to each resource follow the principle of minimum permission.

# cat rbac-yang.yaml kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: role-yangrules:- apiGroups: [""] resources: ["*"] verbs: ["get", "watch", "list"]-apiGroups: ["storage.k8s.io"] resources: ["*"] verbs: ["get", "watch" "list"]-apiGroups: ["rbac.authorization.k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"]-apiGroups: ["batch"] resources: ["*"] verbs: ["get", "watch", "list"]-apiGroups: ["apps"] resources: ["*"] verbs: ["get", "watch" "list"]-apiGroups: ["extensions"] resources: ["*"] verbs: ["get", "watch" "list"]-kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: role-bind-yangsubjects:- kind: ServiceAccount name: yang namespace: kube-systemroleRef: kind: role-yang apiGroup: rbac.authorization.k8s.io# kubectl create sa yang-n kube-system# kubectl create-f rbac-yang.yaml # kubectl-n kube-system describe secret $(kubectl-n kube-system get secret | grep yang | awk'{print $1}')

5. Test the permissions of ordinary users

6. Create super user admin

# kubectl create sa admin-n kube-system# cat rbac-admin.yaml apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: adminroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ServiceAccount name: admin namespace: kube-system# kubectl create-f rbac-admin.yaml # kubectl-n kube-system describe secret $(kubectl-n kube-system get secret | grep admin | awk'{print $1}')

Inherit the permissions of the cluster-admin after logging in using the token of the admin user

Reference:

Https://github.com/kubernetes/dashboard/wiki/Creating-sample-user

Https://github.com/kubernetes/dashboard/wiki/Access-control

Https://github.com/kubernetes/heapster/blob/master/docs/model.md

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.