mirror of https://github.com/easzlab/kubeasz.git
修改calico日志warning级别,增加ubuntu安装conntrack,dashboard文档修订
parent
146419e02d
commit
08d2d53925
|
@ -129,14 +129,14 @@ subjects:
|
||||||
kind: User
|
kind: User
|
||||||
name: readonly
|
name: readonly
|
||||||
```
|
```
|
||||||
- 2.3 访问 `https://x.x.x.x:6443/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy` 使用 admin登陆拥有所有权限,比如删除某个部署;使用 readonly登陆只有查看权限,尝试删除某个部署会提示错误 `forbidden: User \"readonly\" cannot delete services/proxy in the namespace \"kube-system\"`
|
- 2.3 访问 `https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy` (该URL具体使用`kubectl cluster-info`查看) 使用 admin登陆拥有所有权限,比如删除某个部署;使用 readonly登陆只有查看权限,尝试删除某个部署会提示错误 `forbidden: User \"readonly\" cannot delete services/proxy in the namespace \"kube-system\"`
|
||||||
|
|
||||||
- dashboard自带的登陆流程同上
|
- dashboard自带的登陆流程同上
|
||||||
|
|
||||||
#### 3. 证书访问:最安全的方式,配置较复杂
|
#### 3. 证书访问:最安全的方式,配置较复杂
|
||||||
- 使用集群CA 生成客户端证书,可以根据需要生成权限不同的证书,这里为了演示直接使用 kubectl使用的证书和key(在03.kubectl.yml阶段生成),该证书拥有所有权限
|
- 使用集群CA 生成客户端证书,可以根据需要生成权限不同的证书,这里为了演示直接使用 kubectl使用的证书和key(在03.kubectl.yml阶段生成),该证书拥有所有权限
|
||||||
- 指定格式导出该证书,进入`/etc/kubernetes/ssl`目录,使用命令`openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out kube-admin.p12` 提示输入证书密码和确认密码,可以用密码再增加一层保护,也可以直接回车跳过,完成后目录下多了 `kube-admin.p12`文件,将它分发给授权的用户
|
- 指定格式导出该证书,进入`/etc/kubernetes/ssl`目录,使用命令`openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out kube-admin.p12` 提示输入证书密码和确认密码,可以用密码再增加一层保护,也可以直接回车跳过,完成后目录下多了 `kube-admin.p12`文件,将它分发给授权的用户
|
||||||
- 用户将 `kube-admin.p12` 双击导入证书即可,`IE` 和`Chrome` 中输入`https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy` 即可访问。补充:最新firefox需要在浏览器中单独导入 [选项] - [隐私与安全] - [证书/查看证书] - [您的证书] 页面点击 [导入] 该证书
|
- 用户将 `kube-admin.p12` 双击导入证书即可,`IE` 和`Chrome` 中输入`https://x.x.x.x:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy`(该URL具体使用`kubectl cluster-info`查看) 即可访问。补充:最新firefox需要在浏览器中单独导入 [选项] - [隐私与安全] - [证书/查看证书] - [您的证书] 页面点击 [导入] 该证书
|
||||||
- dashboard自带的登陆流程同上
|
- dashboard自带的登陆流程同上
|
||||||
|
|
||||||
### 小结
|
### 小结
|
||||||
|
|
|
@ -30,7 +30,7 @@ data:
|
||||||
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
||||||
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
||||||
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
|
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
|
||||||
"log_level": "info",
|
"log_level": "warning",
|
||||||
"mtu": 1500,
|
"mtu": 1500,
|
||||||
"ipam": {
|
"ipam": {
|
||||||
"type": "calico-ipam"
|
"type": "calico-ipam"
|
||||||
|
@ -133,9 +133,9 @@ spec:
|
||||||
# Disable IPv6 on Kubernetes.
|
# Disable IPv6 on Kubernetes.
|
||||||
- name: FELIX_IPV6SUPPORT
|
- name: FELIX_IPV6SUPPORT
|
||||||
value: "false"
|
value: "false"
|
||||||
# Set Felix logging to "info"
|
# Set Felix logging to "warning"
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
- name: FELIX_LOGSEVERITYSCREEN
|
||||||
value: "info"
|
value: "warning"
|
||||||
# Set MTU for tunnel device used if ipip is enabled
|
# Set MTU for tunnel device used if ipip is enabled
|
||||||
- name: FELIX_IPINIPMTU
|
- name: FELIX_IPINIPMTU
|
||||||
value: "1440"
|
value: "1440"
|
||||||
|
|
|
@ -51,6 +51,7 @@
|
||||||
with_items:
|
with_items:
|
||||||
- jq # 轻量JSON处理程序,安装docker查询镜像需要
|
- jq # 轻量JSON处理程序,安装docker查询镜像需要
|
||||||
- nfs-common # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要)
|
- nfs-common # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要)
|
||||||
|
- conntrack # network connection cleanup 用到
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: 删除centos默认安装
|
- name: 删除centos默认安装
|
||||||
|
|
Loading…
Reference in New Issue