标签:kind name system dashboardsh cattle rancher k8s metadata
人懒, 废话不多.
rancher官网针对性太强了. 基本上都是要求rke部署的k8s群集, 承认rancher dashboard还不错, 可以提高开发效率. 但是rke是屎, rke是屎, rke是屎, 重要的事情说三遍.
官网上用helm部署ha的方案测试验证了多次, 均告失败, 实在是不想用docker方案. 所以基于官网的docker方案改写了k8syaml, 用于快速部署rancher, 上文件:
vi ./rancher.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: proxy-clusterrole-kubeapiserver rules: - apiGroups: [""] resources: - nodes/metrics - nodes/proxy - nodes/stats - nodes/log - nodes/spec verbs: ["get", "list", "watch", "create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: proxy-role-binding-kubernetes-master roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: proxy-clusterrole-kubeapiserver subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-apiserver --- apiVersion: v1 kind: Namespace metadata: name: cattle-system --- apiVersion: v1 kind: ServiceAccount metadata: name: cattle namespace: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cattle-admin-binding namespace: cattle-system labels: cattle.io/creator: "norman" subjects: - kind: ServiceAccount name: cattle namespace: cattle-system roleRef: kind: ClusterRole name: cattle-admin apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: Secret metadata: name: cattle-credentials-2d27727 namespace: cattle-system type: Opaque data: url: "aHR0cHM6Ly8xMC4xOC4zMi4yNTozMDQ0Mw==" token: "ZnZyc2JkN2JmdGJ4dmhncWNqbDRyamd4dGg0Z2tiZjljZHh4cXZ4aHB4ejVieGNkbnZoenBw" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cattle-admin labels: cattle.io/creator: "norman" rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' --- kind: Deployment apiVersion: apps/v1 metadata: name: rancher namespace: cattle-system labels: app: rancher spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 selector: matchLabels: app: rancher template: metadata: labels: app: rancher spec: containers: - name: rancher image: rancher/rancher:stable imagePullPolicy: Always env: - name: AUDIT_LEVEL value: "3" - name: CATTLE_SYSTEM_CATALOG value: "bundled" ports: - containerPort: 80 name: http - containerPort: 443 name: https readinessProbe: tcpSocket: port: 80 initialDelaySeconds: 20 periodSeconds: 10 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 600 periodSeconds: 20 serviceAccountName: cattle --- apiVersion: v1 kind: Service metadata: name: rancher namespace: cattle-system spec: ports: - port: 80 name: http protocol: TCP nodePort: 30080 - port: 443 name: https protocol: TCP nodePort: 30443 sessionAffinity: ClientIP externalTrafficPolicy: Cluster sessionAffinityConfig: clientIP: timeoutSeconds: 10800 type: NodePort selector: app: rancher
简单描述过程:
创建cattle-system 命名空间
创建一个cattle-admin用户授权从请求kube-api服务器, 然后返回etcd里的key value(群集的相关信息, node节点啊, 节点状态啊什么的).
创建授权机制, rancher分配权限给普通用户.(type: Opaque)
部署rancher(20秒检查80端口就绪, 懒得写了, 443也就没写检查. 不过80端口都起不来, 443端口凭什么起得来?)使用的serviceaccount是cattle这个sa不理解的可以自己去试试kubectl get sa -n kube-system
创建rancher的服务30080/30443 nodeport, 这里设置了externalTrafficPolicy: Cluster, 保证所有节点(包括master 都会启动这两个端口, 这样不怕rancher pod迁移.)从任意一个节点的30080端口会自动跳转到rancher部署的node节点对应的30080端口. 再从30080端口url rewrite到30443端口.
6. kubectl apply -f rancher.yaml && kubectl get pod -n cattle-system -w 等待名为rancher的pod就绪.
7. 打开浏览器建议firefox, google的浏览器安全很麻烦. 自签名证书可能出现未知问题.
Enjoy!
标签:kind,name,system,dashboardsh,cattle,rancher,k8s,metadata 来源: https://blog.51cto.com/13801798/2484746
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。