|NO.Z.00229|——————————|^^ 部署 ^^|——|KuberNetes&细粒度权限控制.V13|——|Ratel.v01|k8s资源管理平台部署|
一、k8s资源管理平台Ratel
### --- ratel官方hub地址:
~~~ https://github.com/dotbalo/ratel-doc
二、安装Ratel
### --- 创建secret
~~~ # 安装Ratel
[root@k8s-master01 ~]# mkdir ratel
[root@k8s-master01 ~]# cd ratel### --- 创建servers.yaml文件
[root@k8s-master01 ratel]# vim servers.yaml
- serverName: 'test1'
serverAddress: 'https://192.168.1.20:8443'
#serverAdminUser: 'xxx'
#serverAdminPassword: 'xxx#'
serverAdminToken: 'null'
serverDashboardUrl: "https://k8s.test1.com.cn/#"
production: 'false'
kubeConfigPath: "/mnt/test1.config"
~~~ 注:
- serverName: 'test1'
serverAddress: 'https://192.168.1.20:8443' # 因为没有配置账号密码,也没有使用token,直接配置 kubeConfigPath即可
#serverAdminUser: 'xxx'
#serverAdminPassword: 'xxx#'
serverAdminToken: 'null'
serverDashboardUrl: "https://k8s.test1.com.cn/#" # 该工具会使用到原生的dashboard,可以配置上该地址
production: 'false'
kubeConfigPath: "/mnt/test1.config" # 因为我们是基于kubeconfig这个文件去访问的,所以只需要配置这个文件即可~~~ # 查询serveraddress的地址
[root@k8s-master01 ~]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.1.20:8443
CoreDNS is running at https://192.168.1.20:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy### --- kube/config文件copy到当前目录并定义为test1.config
~~~ 这个文件名字和kubeConfigPath:文件名保持一致
[root@k8s-master01 ratel]# cp /root/.kube/config test1.config ### --- 创建一个secret
~~~ 多个集群的话可以加入进去,这个可以动态加入的
~~~ 注:创建的这个secret会挂载到这个deployment的文件中,
~~~ 这个deployment就可以读取到这个secret,
~~~ 启动之后就可以把这个集群给挂载进去[root@k8s-master01 ratel]# kubectl create secret generic ratel-config --from-file=test1.config --from-file=servers.yaml -n kube-system
secret/ratel-config created三、创建RBAC
### --- 创建权限管理namespace
[root@k8s-master01 ratel]# kubectl create ns kube-users
namespace/kube-users created### --- 然后添加如下的ClusterroleBinding
[root@k8s-master01 ratel]# vim ratel-rbac.yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: ratel-namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: ratel-resource-edit
rules:
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- services
- services/proxy
verbs:
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
- statefulsets/scale
verbs:
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
verbs:
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-resource-readonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
kind: List
metadata:
resourceVersion: ""
selfLink: ""### --- 创建ratel.rbac
[root@k8s-master01 ratel]# kubectl create -f ratel-rbac.yaml
clusterrole.rbac.authorization.k8s.io/ratel-namespace-readonly created
clusterrole.rbac.authorization.k8s.io/ratel-pod-delete created
clusterrole.rbac.authorization.k8s.io/ratel-pod-exec created
clusterrole.rbac.authorization.k8s.io/ratel-resource-edit created
clusterrole.rbac.authorization.k8s.io/ratel-resource-readonly created### --- 创建rabtel-rbac-binding
[root@k8s-master01 ratel]# vim ratel-rbac-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ratel-namespace-readonly-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:kube-users
[root@k8s-master01 ratel]# kubectl create -f ratel-rbac-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/ratel-namespace-readonly-sa created四、部署Ratel
### --- 创建yaml文件
~~~ # 需要更改的内容如下:
~~~ ProRunMode: 区别在于dev模式打印的是debug日志, 其他模式是info级别的日志, 实际使用时应该配置为非dev
~~~ ADMIN_USERNAME: ratel自己的管理员账号
~~~ ADMIN_PASSWORD: ratel自己的管理员密码
~~~ 实际使用时账号密码应满足复杂性要求,因为ratel可以直接操作所有配置的资源。
~~~ 其他无需配置, 端口配置暂不支持。[root@k8s-master01 ratel]# vim ratel.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ratel
name: ratel
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ratel
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: ratel
spec:
containers:
- command:
- sh
- -c
- ./ratel -c /mnt/servers.yaml # 启动的时候就 指定指定了这个文件
env:
- name: TZ
value: Asia/Shanghai
- name: LANG
value: C.UTF-8
- name: ProRunMode
value: prod
- name: ADMIN_USERNAME # 管理员账号
value: admin
- name: ADMIN_PASSWORD # 管理员密码
value: password
image: registry.cn-beijing.aliyuncs.com/dotbalo/ratel:latest
imagePullPolicy: Always # 设置为Always,开发者每次更新功能都会推到这个镜像上
livenessProbe:
failureThreshold: 2
initialDelaySeconds: 10
periodSeconds: 60
successThreshold: 1
tcpSocket:
port: 8888
timeoutSeconds: 2
name: ratel
ports:
- containerPort: 8888
name: web
protocol: TCP
readinessProbe:
failureThreshold: 2
initialDelaySeconds: 10
periodSeconds: 60
successThreshold: 1
tcpSocket:
port: 8888
timeoutSeconds: 2
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 500m
memory: 512Mi
volumeMounts:
- mountPath: /mnt # /mnt/servers.yaml这个文件就是我们挂载到了mnt下
name: ratel-config
dnsPolicy: ClusterFirst
# imagePullSecrets: # 这个secret是没有的,没有直接去掉即可
# - name: myregistrykey
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: ratel-config
secret:
defaultMode: 420
secretName: ratel-config### --- 创建Ratel
[root@k8s-master01 ratel]# kubectl create -f ratel.yaml -n kube-system
deployment.apps/ratel created
[root@k8s-master01 ratel]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE
ratel-85bd5d5697-2h65z 0/1 ContainerCreating 0 30s~~~ # 拉取镜像阶段
[root@k8s-master01 ratel]# kubectl get po -n kube-system -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ratel-85bd5d5697-2h65z 0/1 Running 0 77s 172.25.244.202 k8s-master01 <none> <none>五、service和Ingress配置
~~~ # 注意:如果没有安装ingress controller,
~~~ 需要把type: ClusterIP改成type: NodePort,然后通过主机IP+Port进行访问
### --- 编写service和ingress的yaml文件
[root@k8s-master01 Ratel]# vim ratel-svc.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: ratel
name: ratel
namespace: kube-system
spec:
ports:
- name: container-1-web-1
port: 8888
protocol: TCP
targetPort: 8888
selector:
app: ratel
type: ClusterIP
--- # 写在一起使用---来划分
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ratel
namespace: kube-system
spec:
rules:
- host: krm.test.com
http:
paths:
- backend:
serviceName: ratel
servicePort: 8888
path: /### --- 创建service和ingress
[root@k8s-master01 ratel]# kubectl create -f ratel-svc.yaml -n kube-system
ingress.extensions/ratel created### --- 查看创建的资源
[root@k8s-master01 ratel]# kubectl get svc,ingress,po -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ratel ClusterIP 10.105.168.163 <none> 8888/TCP 4m50s
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/ratel <none> krm.test.com 10.107.59.89 80 4m49s
NAME READY STATUS RESTARTS AGE
pod/ratel-85bd5d5697-2h65z 1/1 Running 0 17mWalter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart
——W.S.Landor
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· DeepSeek 开源周回顾「GitHub 热点速览」
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了