k3s安装

https://docs.rancher.cn/docs/k3s/quick-start/_index/

安装docker

systemctl start docker 

 

curl -sfL http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -

 

#安装dashboard

k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml

 

仪表盘 RBAC 配置

重要： 本指南中创建的 admin-user 将在仪表盘中拥有管理权限。

创建以下资源清单文件：

dashboard.admin-user.yml

?

1 2 3 4 5 6

[root@localhost ~]# cat dashboard.admin-user.yml apiVersion: v1 kind: ServiceAccount metadata:   name: admin-user   namespace: kubernetes-dashboard

　　

 

dashboard.admin-user-role.yml

?

1 2 3 4 5 6 7 8 9 10 11 12 13

[root@localhost ~]# cat dashboard.admin-user-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: admin-user roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects:   - kind: ServiceAccount     name: admin-user     namespace: kubernetes-dashboard

　　

 

部署admin-user 配置：

sudo k3s kubectl create -f dashboard.admin-user.yml -f dashboard.admin-user-role.yml

获得 Bearer Token

sudo k3s kubectl -n kubernetes-dashboard describe secret admin-user-token | grep '^token'

 

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9Hdk5SZlJZMWJzLWVZbm1TbExtMFB4ODd0REJ1b1A4WWFkSXFoMDZTUTAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXZic214Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1ZDY4YmE0OS0yMTIyLTRjOTgtYmE2Ny0wNmI4MjBmZjZkNTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.ZhISq0hYC8C8DbVfPYXRfMd5ihKWsbGenwY1Qg6zprHIqbbRbwrJWNEIpyDVYfoqv_u2Y7QFvHlJj7mZSWdPNC99omnlcYH0F7hT83-FwFhDGrH2-VMsHyD00lej6FbIxbCuUqwGJzzrP0IzSYwuXjRkhk-VA8S0aPz4xQx-k3W2DyRTMeW61KiWbqjBY19aPLaNjPaEK2oxhsTT4Qs8zpVHkHFHpoDZflqwumk0yE5sa0kF66xISjYjxwSENu27_oIa8xD23IDOaxdchwY4-NxC92faafotfqqSetzYO_SNH3BgEhOkegAdS3i8nyKKHPlunLiZ7oaxykjtIWMt-w

 

远程访问仪表盘方法一

 

1.安装mongodb

kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-deployment.yaml

2.kubectl get pods

[root@localhost ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mongo-75f59d57f4-mmp98 1/1 Running 1 (2m55s ago) 6m7s

 

3.kubectl get deployment

[root@localhost ~]# kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
mongo 1/1 1 1 6m53s

4.kubectl get replicaset

[root@localhost ~]# kubectl get replicaset
NAME DESIRED CURRENT READY AGE
mongo-75f59d57f4 1

5.Create a Service to expose MongoDB on the network:

 

kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-service.yaml

 

6.kubectl get service mongo

[root@localhost ~]# kubectl get service mongo
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
mongo ClusterIP 10.43.159.130 <none> 27017/TCP 27s

7.查看端口

[root@localhost ~]# kubectl get pod mongo-75f59d57f4-mmp98 --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
27017

8.转发端口

Forward a local port to a port on the Pod

1. kubectl port-forward allows using resource name, such as a pod name, to select a matching pod to port forward to.

   # Change mongo-75f59d57f4-4nd6q to the name of the Pod
   kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
   

   which is the same as

   kubectl port-forward pods/mongo-75f59d57f4-4nd6q 28015:27017
   

   or

   kubectl port-forward deployment/mongo 28015:27017
   

   or

   kubectl port-forward replicaset/mongo-75f59d57f4 28015:27017
   

   or

   kubectl port-forward service/mongo 28015:27017
   

   Any of the above commands works. The output is similar to this:

   Forwarding from 127.0.0.1:28015 -> 27017
   Forwarding from [::1]:28015 -> 27017

https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/

 kubectl port-forward mongo-75f59d57f4-mmp98 28015:27017

 

再开一个终端，执行

nc -w 3 -v  127.0.0.1 28015

 

E0205 13:27:31.100188 106746 portforward.go:400] an error occurred forwarding 28015 -> 27017: error forwarding port 27017 to pod 86430f8070580d1b3fa08fe11aad71766cdb9745c24bf428182860d29f3cc43d, uid : unable to do port forwarding: socat not found

 

安装socat

yum install socat

 

kubectl port-forward --address 0.0.0.0 mongo-75f59d57f4-mmp98 28015:27017

 

kubectl get pod kubernetes-dashboard-576cb95f94-xk8hl  --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}' -n kubernetes-dashboard

8443

kubectl port-forward --address 0.0.0.0 kubernetes-dashboard-576cb95f94-xk8hl -n kubernetes-dashboard  30010:8443

systemctl stop firewalld

 

 

远程访问仪表盘方法二

1.修改recommended.yaml，service类型改为NodePort

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306

[root@localhost ~]# cat recommended.yaml # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # #     http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License.   apiVersion: v1 kind: Namespace metadata:   name: kubernetes-dashboard   ---   apiVersion: v1 kind: ServiceAccount metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard   namespace: kubernetes-dashboard   ---   kind: Service apiVersion: v1 metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard   namespace: kubernetes-dashboard spec:   type: NodePort   ports:     - port: 443       targetPort: 8443       nodePort: 31001   selector:     k8s-app: kubernetes-dashboard   ---   apiVersion: v1 kind: Secret metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard-certs   namespace: kubernetes-dashboard type: Opaque   ---   apiVersion: v1 kind: Secret metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard-csrf   namespace: kubernetes-dashboard type: Opaque data:   csrf: ""   ---   apiVersion: v1 kind: Secret metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard-key-holder   namespace: kubernetes-dashboard type: Opaque   ---   kind: ConfigMap apiVersion: v1 metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard-settings   namespace: kubernetes-dashboard   ---   kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard   namespace: kubernetes-dashboard rules:   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.   - apiGroups: [""]     resources: ["secrets"]     resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]     verbs: ["get", "update", "delete"]     # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.   - apiGroups: [""]     resources: ["configmaps"]     resourceNames: ["kubernetes-dashboard-settings"]     verbs: ["get", "update"]     # Allow Dashboard to get metrics.   - apiGroups: [""]     resources: ["services"]     resourceNames: ["heapster", "dashboard-metrics-scraper"]     verbs: ["proxy"]   - apiGroups: [""]     resources: ["services/proxy"]     resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]     verbs: ["get"]   ---   kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard rules:   # Allow Metrics Scraper to get metrics from the Metrics server   - apiGroups: ["metrics.k8s.io"]     resources: ["pods", "nodes"]     verbs: ["get", "list", "watch"]   ---   apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard   namespace: kubernetes-dashboard roleRef:   apiGroup: rbac.authorization.k8s.io   kind: Role   name: kubernetes-dashboard subjects:   - kind: ServiceAccount     name: kubernetes-dashboard     namespace: kubernetes-dashboard   ---   apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: kubernetes-dashboard roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: kubernetes-dashboard subjects:   - kind: ServiceAccount     name: kubernetes-dashboard     namespace: kubernetes-dashboard   ---   kind: Deployment apiVersion: apps/v1 metadata:   labels:     k8s-app: kubernetes-dashboard   name: kubernetes-dashboard   namespace: kubernetes-dashboard spec:   replicas: 1   revisionHistoryLimit: 10   selector:     matchLabels:       k8s-app: kubernetes-dashboard   template:     metadata:       labels:         k8s-app: kubernetes-dashboard     spec:       containers:         - name: kubernetes-dashboard           image: kubernetesui/dashboard:v2.4.0           imagePullPolicy: Always           ports:             - containerPort: 8443               protocol: TCP           args:             - --auto-generate-certificates             - --namespace=kubernetes-dashboard             # Uncomment the following line to manually specify Kubernetes API server Host             # If not specified, Dashboard will attempt to auto discover the API server and connect             # to it. Uncomment only if the default does not work.             # - --apiserver-host=http://my-address:port           volumeMounts:             - name: kubernetes-dashboard-certs               mountPath: /certs               # Create on-disk volume to store exec logs             - mountPath: /tmp               name: tmp-volume           livenessProbe:             httpGet:               scheme: HTTPS               path: /               port: 8443             initialDelaySeconds: 30             timeoutSeconds: 30           securityContext:             allowPrivilegeEscalation: false             readOnlyRootFilesystem: true             runAsUser: 1001             runAsGroup: 2001       volumes:         - name: kubernetes-dashboard-certs           secret:             secretName: kubernetes-dashboard-certs         - name: tmp-volume           emptyDir: {}       serviceAccountName: kubernetes-dashboard       nodeSelector:         "kubernetes.io/os": linux       # Comment the following tolerations if Dashboard must not be deployed on master       tolerations:         - key: node-role.kubernetes.io/master           effect: NoSchedule   ---   kind: Service apiVersion: v1 metadata:   labels:     k8s-app: dashboard-metrics-scraper   name: dashboard-metrics-scraper   namespace: kubernetes-dashboard spec:   ports:     - port: 8000       targetPort: 8000   selector:     k8s-app: dashboard-metrics-scraper   ---   kind: Deployment apiVersion: apps/v1 metadata:   labels:     k8s-app: dashboard-metrics-scraper   name: dashboard-metrics-scraper   namespace: kubernetes-dashboard spec:   replicas: 1   revisionHistoryLimit: 10   selector:     matchLabels:       k8s-app: dashboard-metrics-scraper   template:     metadata:       labels:         k8s-app: dashboard-metrics-scraper     spec:       securityContext:         seccompProfile:           type: RuntimeDefault       containers:         - name: dashboard-metrics-scraper           image: kubernetesui/metrics-scraper:v1.0.7           ports:             - containerPort: 8000               protocol: TCP           livenessProbe:             httpGet:               scheme: HTTP               path: /               port: 8000             initialDelaySeconds: 30             timeoutSeconds: 30           volumeMounts:           - mountPath: /tmp             name: tmp-volume           securityContext:             allowPrivilegeEscalation: false             readOnlyRootFilesystem: true             runAsUser: 1001             runAsGroup: 2001       serviceAccountName: kubernetes-dashboard       nodeSelector:         "kubernetes.io/os": linux       # Comment the following tolerations if Dashboard must not be deployed on master       tolerations:         - key: node-role.kubernetes.io/master           effect: NoSchedule       volumes:         - name: tmp-volume           emptyDir: {}

　　

 

kubectl apply -f recommended.yaml

 

2.kubectl get service -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.43.195.198 <none> 443:31001/TCP 3h19m
dashboard-metrics-scraper ClusterIP 10.43.32.76 <none> 8000/TCP 3h19m

 

在浏览器访问 https://192.168.49.102:31001

 

 

token:

kubectl -n kubernetes-dashboard describe secret admin-user-token | grep '^token'