-
云原生(三十一) | Kubernetes篇之Kubernetes平台基本预装资源
文章目录
Kubernetes平台基本预装资源
kubernetes平台安装完成后需要安装基本资源,
本文适配 kubernetes-v1.21.1 版本
一、metrics-server
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- k8s-app: metrics-server
- name: metrics-server
- namespace: kube-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- k8s-app: metrics-server
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: system:aggregated-metrics-reader
- rules:
- - apiGroups:
- - metrics.k8s.io
- resources:
- - pods
- - nodes
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- k8s-app: metrics-server
- name: system:metrics-server
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- - nodes
- - nodes/stats
- - namespaces
- - configmaps
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- k8s-app: metrics-server
- name: metrics-server-auth-reader
- namespace: kube-system
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: extension-apiserver-authentication-reader
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- k8s-app: metrics-server
- name: metrics-server:system:auth-delegator
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:auth-delegator
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- k8s-app: metrics-server
- name: system:metrics-server
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:metrics-server
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
- ---
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- k8s-app: metrics-server
- name: metrics-server
- namespace: kube-system
- spec:
- ports:
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- selector:
- k8s-app: metrics-server
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- k8s-app: metrics-server
- name: metrics-server
- namespace: kube-system
- spec:
- selector:
- matchLabels:
- k8s-app: metrics-server
- strategy:
- rollingUpdate:
- maxUnavailable: 0
- template:
- metadata:
- labels:
- k8s-app: metrics-server
- spec:
- containers:
- - args:
- - --v=6
- - --cert-dir=/tmp
- - --kubelet-insecure-tls
- - --secure-port=4443
- - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- - --kubelet-use-node-status-port
- image: registry.cn-hangzhou.aliyuncs.com/lanson_k8s_images/metrics-server:v0.4.3
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: /livez
- port: https
- scheme: HTTPS
- periodSeconds: 10
- name: metrics-server
- ports:
- - containerPort: 4443
- name: https
- protocol: TCP
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /readyz
- port: https
- scheme: HTTPS
- periodSeconds: 10
- securityContext:
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 1000
- volumeMounts:
- - mountPath: /tmp
- name: tmp-dir
- nodeSelector:
- kubernetes.io/os: linux
- priorityClassName: system-cluster-critical
- serviceAccountName: metrics-server
- volumes:
- - emptyDir: {}
- name: tmp-dir
- ---
- apiVersion: apiregistration.k8s.io/v1
- kind: APIService
- metadata:
- labels:
- k8s-app: metrics-server
- name: v1beta1.metrics.k8s.io
- spec:
- group: metrics.k8s.io
- groupPriorityMinimum: 100
- insecureSkipTLSVerify: true
- service:
- name: metrics-server
- namespace: kube-system
- version: v1beta1
- versionPriority: 100
二、ingress-nginx
kubernetes官方使用nginx做的组件
自建集群使用裸金属安装方式
使用
-
给集群中需要暴露的nginx机器节点打上标签
node-role=ingress如: -
kubectl label node k8s-master3 node-role=ingress kubectl label node k8s-node1 node-role=ingress kubectl label node k8s-node2 node-role=ingress kubectl label node k8s-node3 node-role=ingress
-
-
部署ingress的node节点会自动 开启 节点的
80和443端口,保证这个机器端口不会被占用 -
默认ingress-nginx在每个节点没有CPU、MEMORY最大配额限制;可以按照公司架构需求修改resoources.limits相关字段
- apiVersion: v1
- kind: Namespace
- metadata:
- name: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- ---
- # Source: ingress-nginx/templates/controller-serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- automountServiceAccountToken: true
- ---
- # Source: ingress-nginx/templates/controller-configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
- data:
- ---
- # Source: ingress-nginx/templates/clusterrole.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
- rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- ---
- # Source: ingress-nginx/templates/clusterrolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/controller-role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- rules:
- - apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - configmaps
- resourceNames:
- - ingress-controller-leader-nginx
- verbs:
- - get
- - update
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- ---
- # Source: ingress-nginx/templates/controller-rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/controller-service-webhook.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
- spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- ---
- # Source: ingress-nginx/templates/controller-service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- annotations:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
- spec:
- type: ClusterIP ## 改为clusterIP
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- ---
- # Source: ingress-nginx/templates/controller-deployment.yaml
- apiVersion: apps/v1
- kind: DaemonSet
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
- spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirstWithHostNet ## dns对应调整为主机网络
- hostNetwork: true ## 直接让nginx占用本机80端口和443端口,所以使用主机网络
- containers:
- - name: controller
- image: registry.cn-hangzhou.aliyuncs.com/lanson_k8s_images/ingress-nginx-controller:v0.46.0
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=ingress-controller-leader
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- securityContext:
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 101
- allowPrivilegeEscalation: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 5
- readinessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- requests:
- cpu: 100m
- memory: 90Mi
- limits:
- cpu: 1000m
- memory: 800Mi
- nodeSelector:
- node-role: ingress
- serviceAccountName: ingress-nginx
- terminationGracePeriodSeconds: 300
- volumes:
- - name: webhook-cert
- secret:
- secretName: ingress-nginx-admission
- ---
- # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
- # before changing this value, check the required kubernetes version
- # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
- apiVersion: admissionregistration.k8s.io/v1
- kind: ValidatingWebhookConfiguration
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: ingress-nginx-admission
- webhooks:
- - name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- namespace: ingress-nginx
- name: ingress-nginx-controller-admission
- path: /networking/v1beta1/ingresses
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
- rules:
- - apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: ingress-nginx-admission-create
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
- spec:
- template:
- metadata:
- name: ingress-nginx-admission-create
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: docker.io/jettech/kube-webhook-certgen:v1.5.1
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=ingress-nginx-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: ingress-nginx-admission-patch
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
- spec:
- template:
- metadata:
- name: ingress-nginx-admission-patch
- labels:
- helm.sh/chart: ingress-nginx-3.30.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.46.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: docker.io/jettech/kube-webhook-certgen:v1.5.1
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=ingress-nginx-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=ingress-nginx-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
三、dashboard
可以安装k8s的默认可视化平台
GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
注意:官方下载来的默认没有指定授权,使用下面创建过授权的配置
- # 获取dashboard访问令牌
- kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
- apiVersion: v1
- kind: Namespace
- metadata:
- name: kubernetes-dashboard
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- ---
- kind: Service
- apiVersion: v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- spec:
- ports:
- - port: 443
- targetPort: 8443
- selector:
- k8s-app: kubernetes-dashboard
- ---
- apiVersion: v1
- kind: Secret
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard-certs
- namespace: kubernetes-dashboard
- type: Opaque
- ---
- apiVersion: v1
- kind: Secret
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard-csrf
- namespace: kubernetes-dashboard
- type: Opaque
- data:
- csrf: ""
- ---
- apiVersion: v1
- kind: Secret
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard-key-holder
- namespace: kubernetes-dashboard
- type: Opaque
- ---
- kind: ConfigMap
- apiVersion: v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard-settings
- namespace: kubernetes-dashboard
- ---
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- rules:
- # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- - apiGroups: [""]
- resources: ["secrets"]
- resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
- verbs: ["get", "update", "delete"]
- # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["kubernetes-dashboard-settings"]
- verbs: ["get", "update"]
- # Allow Dashboard to get metrics.
- - apiGroups: [""]
- resources: ["services"]
- resourceNames: ["heapster", "dashboard-metrics-scraper"]
- verbs: ["proxy"]
- - apiGroups: [""]
- resources: ["services/proxy"]
- resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
- verbs: ["get"]
- ---
- kind: ClusterRole
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- rules:
- # Allow Metrics Scraper to get metrics from the Metrics server
- - apiGroups: ["metrics.k8s.io"]
- resources: ["pods", "nodes"]
- verbs: ["get", "list", "watch"]
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kubernetes-dashboard
- subjects:
- - kind: ServiceAccount
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- ---
- kind: Deployment
- apiVersion: apps/v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- spec:
- replicas: 1
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- k8s-app: kubernetes-dashboard
- template:
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- spec:
- containers:
- - name: kubernetes-dashboard
- image: kubernetesui/dashboard:v2.2.0
- imagePullPolicy: Always
- ports:
- - containerPort: 8443
- protocol: TCP
- args:
- - --auto-generate-certificates
- - --namespace=kubernetes-dashboard
- # Uncomment the following line to manually specify Kubernetes API server Host
- # If not specified, Dashboard will attempt to auto discover the API server and connect
- # to it. Uncomment only if the default does not work.
- # - --apiserver-host=http://my-address:port
- volumeMounts:
- - name: kubernetes-dashboard-certs
- mountPath: /certs
- # Create on-disk volume to store exec logs
- - mountPath: /tmp
- name: tmp-volume
- livenessProbe:
- httpGet:
- scheme: HTTPS
- path: /
- port: 8443
- initialDelaySeconds: 30
- timeoutSeconds: 30
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsUser: 1001
- runAsGroup: 2001
- volumes:
- - name: kubernetes-dashboard-certs
- secret:
- secretName: kubernetes-dashboard-certs
- - name: tmp-volume
- emptyDir: {}
- serviceAccountName: kubernetes-dashboard
- nodeSelector:
- "kubernetes.io/os": linux
- # Comment the following tolerations if Dashboard must not be deployed on master
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- ---
- kind: Service
- apiVersion: v1
- metadata:
- labels:
- k8s-app: dashboard-metrics-scraper
- name: dashboard-metrics-scraper
- namespace: kubernetes-dashboard
- spec:
- ports:
- - port: 8000
- targetPort: 8000
- selector:
- k8s-app: dashboard-metrics-scraper
- ---
- kind: Deployment
- apiVersion: apps/v1
- metadata:
- labels:
- k8s-app: dashboard-metrics-scraper
- name: dashboard-metrics-scraper
- namespace: kubernetes-dashboard
- spec:
- replicas: 1
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- k8s-app: dashboard-metrics-scraper
- template:
- metadata:
- labels:
- k8s-app: dashboard-metrics-scraper
- annotations:
- seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
- spec:
- containers:
- - name: dashboard-metrics-scraper
- image: kubernetesui/metrics-scraper:v1.0.6
- ports:
- - containerPort: 8000
- protocol: TCP
- livenessProbe:
- httpGet:
- scheme: HTTP
- path: /
- port: 8000
- initialDelaySeconds: 30
- timeoutSeconds: 30
- volumeMounts:
- - mountPath: /tmp
- name: tmp-volume
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsUser: 1001
- runAsGroup: 2001
- serviceAccountName: kubernetes-dashboard
- nodeSelector:
- "kubernetes.io/os": linux
- # Comment the following tolerations if Dashboard must not be deployed on master
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- volumes:
- - name: tmp-volume
- emptyDir: {}
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
- subjects:
- - kind: ServiceAccount
- name: kubernetes-dashboard
- namespace: kubernetes-dashboard
四、helm应用商店
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash# helm国内源,但是版本很久没更新
http://mirror.azure.cn/kubernetes/charts/详细的安装介绍可以参数我上一篇文章
有兴趣的同学可以点下面链接:
云原生(三十) | Kubernetes篇之应用商店-Helm_Lansonli的博客-CSDN博客
- 📢博客主页:https://lansonli.blog.csdn.net
- 📢欢迎点赞 👍 收藏 ⭐留言 📝 如有错误敬请指正!
- 📢本文由 Lansonli 原创,首发于 CSDN博客🙉
- 📢停下休息的时候不要忘了别人还在奔跑,希望大家抓紧时间学习,全力奔赴更美好的生活✨
-
相关阅读:
JUC并发编程——读写锁(基于狂神说的学习笔记)
ubuntu中的系统消息中显卡显示llvmpipe (LLVM 10.0.0, 256 bits)
【MySQL】Spring Boot项目基于Sharding-JDBC和MySQL主从复制实现读写分离(8千字详细教程)
Flink写入kafka的自定义Key值
vue2.x 和 vue3.x的区别
测试方法学习
ARP欺骗
ClickHouse Senior Course Ⅴ
10 分钟讲完 QUIC 协议。
MyBatis: 向oracle表中插入null字段的处理
- 原文地址:https://blog.csdn.net/xiaoweite1/article/details/125514433
https://github.com/kubernetes-sigs/metrics-server