From 08d2d539258219b1b7e96caa8b579cc98d161ba2 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Mon, 2 Apr 2018 13:52:05 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9calico=E6=97=A5=E5=BF=97warni?= =?UTF-8?q?ng=E7=BA=A7=E5=88=AB=EF=BC=8C=E5=A2=9E=E5=8A=A0ubuntu=E5=AE=89?= =?UTF-8?q?=E8=A3=85conntrack=EF=BC=8Cdashboard=E6=96=87=E6=A1=A3=E4=BF=AE?= =?UTF-8?q?=E8=AE=A2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/guide/dashboard.md | 4 ++-- roles/calico/templates/calico.yaml.j2 | 6 +++--- roles/prepare/tasks/main.yml | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/guide/dashboard.md b/docs/guide/dashboard.md index 1938cd2..aea907e 100644 --- a/docs/guide/dashboard.md +++ b/docs/guide/dashboard.md @@ -129,14 +129,14 @@ subjects: kind: User name: readonly ``` -- 2.3 访问 `https://x.x.x.x:6443/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy` 使用 admin登陆拥有所有权限,比如删除某个部署;使用 readonly登陆只有查看权限,尝试删除某个部署会提示错误 `forbidden: User \"readonly\" cannot delete services/proxy in the namespace \"kube-system\"` +- 2.3 访问 `https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy` (该URL具体使用`kubectl cluster-info`查看) 使用 admin登陆拥有所有权限,比如删除某个部署;使用 readonly登陆只有查看权限,尝试删除某个部署会提示错误 `forbidden: User \"readonly\" cannot delete services/proxy in the namespace \"kube-system\"` - dashboard自带的登陆流程同上 #### 3. 证书访问:最安全的方式,配置较复杂 - 使用集群CA 生成客户端证书,可以根据需要生成权限不同的证书,这里为了演示直接使用 kubectl使用的证书和key(在03.kubectl.yml阶段生成),该证书拥有所有权限 - 指定格式导出该证书,进入`/etc/kubernetes/ssl`目录,使用命令`openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out kube-admin.p12` 提示输入证书密码和确认密码,可以用密码再增加一层保护,也可以直接回车跳过,完成后目录下多了 `kube-admin.p12`文件,将它分发给授权的用户 -- 用户将 `kube-admin.p12` 双击导入证书即可,`IE` 和`Chrome` 中输入`https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy` 即可访问。补充:最新firefox需要在浏览器中单独导入 [选项] - [隐私与安全] - [证书/查看证书] - [您的证书] 页面点击 [导入] 该证书 +- 用户将 `kube-admin.p12` 双击导入证书即可,`IE` 和`Chrome` 中输入`https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy`(该URL具体使用`kubectl cluster-info`查看) 即可访问。补充:最新firefox需要在浏览器中单独导入 [选项] - [隐私与安全] - [证书/查看证书] - [您的证书] 页面点击 [导入] 该证书 - dashboard自带的登陆流程同上 ### 小结 diff --git a/roles/calico/templates/calico.yaml.j2 b/roles/calico/templates/calico.yaml.j2 index eb87de3..598c24c 100644 --- a/roles/calico/templates/calico.yaml.j2 +++ b/roles/calico/templates/calico.yaml.j2 @@ -30,7 +30,7 @@ data: "etcd_key_file": "/etc/calico/ssl/calico-key.pem", "etcd_cert_file": "/etc/calico/ssl/calico.pem", "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem", - "log_level": "info", + "log_level": "warning", "mtu": 1500, "ipam": { "type": "calico-ipam" @@ -133,9 +133,9 @@ spec: # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" - # Set Felix logging to "info" + # Set Felix logging to "warning" - name: FELIX_LOGSEVERITYSCREEN - value: "info" + value: "warning" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU value: "1440" diff --git a/roles/prepare/tasks/main.yml b/roles/prepare/tasks/main.yml index 26cad3d..c5e5709 100644 --- a/roles/prepare/tasks/main.yml +++ b/roles/prepare/tasks/main.yml @@ -51,6 +51,7 @@ with_items: - jq # 轻量JSON处理程序,安装docker查询镜像需要 - nfs-common # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要) + - conntrack # network connection cleanup 用到 - block: - name: 删除centos默认安装