1.部署dashboard
kubernetes-dashboard運行時需要有sa賬號提供權限
Dashboard官方地址:https://github.com/kubernetes/dashboard
# 在node1上下載鏡像 docker pull googlecontainer/kubernetes-dashboard-amd64:v1.10.1 docker tag googlecontainer/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 # 在master上下載yaml文件 wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml 文件中需要做以下修改
a.創建一個sa並綁定到cluster-admin上
--- apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system ---
b.修改Service的type為NodePort
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 31443
type: NodePort
selector:
k8s-app: kubernetes-dashboard
# 獲取不記名token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
訪問https://10.0.0.20:31443,將這一段內容復制到令牌中,即可看到dashboard面板
該部分內容參考:https://github.com/kubernetes/dashboard/wiki/Creating-sample-user
拿這個sa的token登錄,pod就獲得了這個sa的權限,即整個集群的管理權限,用命令行再創建個sa,限定它只能訪問default名稱空間
kubectl create serviceaccount def-ns-admin -n default kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin # 拿這個token登錄到web頁面,進去后只能看default名稱空間 kubectl describe secret def-ns-admin-token-646gx
2.用kubeconfig的方法來驗證登錄
原理:將sa的token賦給一個用戶,然后封裝成kubeconfig文件,下面這些操作只是讓def-ns-admin用戶對kubernetes集群中的default名稱空間具有管理權限;更廣泛的用法是讓某用戶對不同集群都有管理權限.
cd /etc/kubernetes/pki
kubectl config set-cluster kubernetes --certificate-authority=./ca.crt \
--server="https://172.16.1.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
kubectl config view --kubeconfig=/root/def-ns-admin.conf
kubectl get secret def-ns-admin-token-646gx -o json
DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-646gx -o jsonpath={.data.token}|base64 -d)
kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set
# 創建一個上下文
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin \
--kubeconfig=/root/def-ns-admin.conf
Context "def-ns-admin@kubernetes" created.
# 切換用戶,此時可以用/root/def-ns-admin.conf文件進行登錄
# 認證賬號必須是ServiceAccount,被dashboard pod拿來進行認證集群認證
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
3.容器的資源需求、資源限制
request:需求,最低保障,在調度時,節點必須滿足request需求的資源大小才符合需求;
limits:限制、硬限制,限制容器無論怎么運行都不會超過limits的值.
CPU:一顆物理CPU杯虛擬成兩顆邏輯cpu,一個邏輯cpu還可以划分為1000個毫核(millcores),所以500m=0.5個CPU,相當於二分之一的核心.
kubectl explain pods.spec.containers.resources.requests
kubectl explain pods.spec.containers.resources.limits
# -m 1表示啟動一個子進程對內存做壓測,-c 1表示啟動一個子進程對cpu做壓測,
默認stress-ng的一個子進程使用256M內存
cat pod-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-demo
labels:
app: myapp
tier: frontend
spec:
containers:
- name: myapp
image: ikubernetes/stress-ng:v1
command: ["/usr/bin/stress-ng", "-m 1", "-c 1", "--metrics-brief"]
resources:
requests:
cpu: "200m"
memory: "128Mi"
limits:
cpu: "1" # 沒有單位表示是1個cpu
memory: "200Mi"
# 容器分配了資源限制后,k8s會自動分配一個Qos(服務質量)
Qos可以分為三類:
Guranteed:表示每個容器的cpu和內存資源設置了相同的requests和limits值,即cpu.requests=cpu.limits和memory.requests=memory.limits,Guranteed會確保這類pod有最高的優先級,會被優先運行的,即使節點上的資源不夠用;
Burstable:表示pod中至少有一個容器設置了cpu或內存資源的requests屬性,可能沒有定義limits屬性,那么這類pod具有中等優先級;
BestEffort:指沒有任何一個容器設置了requests或者limits屬性,那么這類pod是最低優先級,當這類pod的資源不夠用時,BestEffort中的容器會被優先終止,以便騰出資源來,給另外兩類pod中的容器正常運行.
4.HeapSter
HeapSter的作用是收集個節點pod的資源使用情況,然后以圖形界面展示給用戶.kubelet中的cAdvisor負責收集每個節點上的資源使用情況,然后把信息存儲HeapSter中,HeapSter再把數據持久化的存儲在數據庫InfluxDB中,然后我們再通過Grafana來圖形化展示.
一般監控的指標包括k8s集群的系統指標、容器指標和應用指標. 默認InfluxDB使用的是存儲卷是emptyDir,容器一關數據就沒了,所以要換成glusterfs等存儲卷才行.
InfluxDB--https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/influxdb/influxdb.yaml
mkdir metrics && cd metrics wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml # 訪問https://github.com/kubernetes/heapster/tree/master/deploy/kube-config/rbac wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml # 訪問https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/influxdb/heapster.yaml wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml # 訪問https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/influxdb/grafana.yaml # 為了能在集群外部訪問Grafana,所以在文件最后一行加個type: NodePort # 在v1.12之后的版本,已經完全拋棄了heapster,模板地址:https://grafana.com/dashboards/9733 wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml
參考博客:http://blog.itpub.net/28916011/viewspace-2215214/
參考博客:http://blog.itpub.net/28916011/viewspace-2216324/