From fb584bcca2e2fe8ea6774250fa2ba7683b4517c6 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Sun, 3 Nov 2019 09:56:05 +0000 Subject: [PATCH] update dashboard v2.0.0-beta5 --- .../1.10.1/kubernetes-dashboard.yaml | 165 ++++++++++ manifests/dashboard/kubernetes-dashboard.yaml | 298 +++++++++++++----- roles/cluster-addon/defaults/main.yml | 8 +- roles/cluster-addon/tasks/main.yml | 17 +- tools/easzup | 10 +- 5 files changed, 400 insertions(+), 98 deletions(-) create mode 100644 manifests/dashboard/1.10.1/kubernetes-dashboard.yaml diff --git a/manifests/dashboard/1.10.1/kubernetes-dashboard.yaml b/manifests/dashboard/1.10.1/kubernetes-dashboard.yaml new file mode 100644 index 0000000..6bb3fa2 --- /dev/null +++ b/manifests/dashboard/1.10.1/kubernetes-dashboard.yaml @@ -0,0 +1,165 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ------------------- Dashboard Secret ------------------- # + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque + +--- +# ------------------- Dashboard Service Account ------------------- # + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Role & Role Binding ------------------- # + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +rules: + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics from heapster. +- apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster"] + verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard-minimal +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Deployment ------------------- # + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +# ------------------- Dashboard Service ------------------- # + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + type: NodePort diff --git a/manifests/dashboard/kubernetes-dashboard.yaml b/manifests/dashboard/kubernetes-dashboard.yaml index 6bb3fa2..eb5bce0 100644 --- a/manifests/dashboard/kubernetes-dashboard.yaml +++ b/manifests/dashboard/kubernetes-dashboard.yaml @@ -12,7 +12,39 @@ # See the License for the specific language governing permissions and # limitations under the License. -# ------------------- Dashboard Secret ------------------- # +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + type: NodePort + +--- apiVersion: v1 kind: Secret @@ -24,70 +56,117 @@ metadata: type: Opaque --- -# ------------------- Dashboard Service Account ------------------- # apiVersion: v1 -kind: ServiceAccount +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kube-system +type: Opaque +data: + csrf: "" + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kube-system +type: Opaque + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kube-system + +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] --- -# ------------------- Dashboard Role & Role Binding ------------------- # -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard rules: - # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] - # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] --- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: kubernetes-dashboard-minimal + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kubernetes-dashboard-minimal -subjects: -- kind: ServiceAccount name: kubernetes-dashboard - namespace: kube-system +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system --- -# ------------------- Dashboard Deployment ------------------- # kind: Deployment apiVersion: apps/v1 @@ -108,58 +187,117 @@ spec: k8s-app: kubernetes-dashboard spec: containers: - - name: kubernetes-dashboard - image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 - ports: - - containerPort: 8443 - protocol: TCP - args: - - --auto-generate-certificates - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.0.0-beta5 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kube-system + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: kubernetes-dashboard-certs - - name: tmp-volume - emptyDir: {} + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} serviceAccountName: kubernetes-dashboard + nodeSelector: + "beta.kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule --- -# ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: - k8s-app: kubernetes-dashboard - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile - name: kubernetes-dashboard + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper namespace: kube-system spec: ports: - - port: 443 - targetPort: 8443 + - port: 8000 + targetPort: 8000 selector: - k8s-app: kubernetes-dashboard - type: NodePort + k8s-app: dashboard-metrics-scraper + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + spec: + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.1 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + "beta.kubernetes.io/os": linux + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} diff --git a/roles/cluster-addon/defaults/main.yml b/roles/cluster-addon/defaults/main.yml index d508a6b..7686bb8 100644 --- a/roles/cluster-addon/defaults/main.yml +++ b/roles/cluster-addon/defaults/main.yml @@ -19,12 +19,12 @@ metricsVer: "v0.3.6" metricsserver_offline: "metrics-server_{{ metricsVer }}.tar" # dashboard 自动安装 -# 现阶段 dashboard 获取metrics仍旧依赖于heapster,因此需连带安装heapster +# dashboard v2.0.0-beta5 不依赖于heapster dashboard_install: "yes" -dashboardVer: "v1.10.1" +dashboardVer: "v2.0.0-beta5" dashboard_offline: "dashboard_{{ dashboardVer }}.tar" -heapsterVer: "v1.5.4" -heapster_offline: "heapster_{{ heapsterVer }}.tar" +dashboardMetricsScraperVer: "v1.0.1" +metricsscraper_offline: "metrics-scraper_{{ dashboardMetricsScraperVer }}.tar" # ingress 自动安装,可选 "traefik" 和 "nginx-ingress" ingress_install: "yes" diff --git a/roles/cluster-addon/tasks/main.yml b/roles/cluster-addon/tasks/main.yml index a25e054..25d6710 100644 --- a/roles/cluster-addon/tasks/main.yml +++ b/roles/cluster-addon/tasks/main.yml @@ -73,37 +73,36 @@ when: '"metrics-server" not in pod_info.stdout and metricsserver_install == "yes"' ignore_errors: true -# 现阶段 dashboard 获取metrics仍旧依赖于heapster,因此需连带安装heapster +# dashboard v2.0.0-beta5 不依赖于heapster - block: - block: - - name: 尝试推送离线 dashboard heapster镜像(若执行失败,可忽略) + - name: 尝试推送离线 dashboard 镜像(若执行失败,可忽略) copy: src={{ base_dir }}/down/{{ item }} dest=/opt/kube/images/{{ item }} when: 'item in download_info.stdout' with_items: - "{{ dashboard_offline }}" - - "{{ heapster_offline }}" + - "{{ metricsscraper_offline }}" - name: 获取dashboard离线镜像推送情况 command: "ls /opt/kube/images" register: image_info - - name: 导入 dashboard heapster的离线镜像(docker) + - name: 导入 dashboard 的离线镜像(docker) shell: "{{ bin_dir }}/docker load -i /opt/kube/images/{{ item }}" with_items: - "{{ dashboard_offline }}" - - "{{ heapster_offline }}" + - "{{ metricsscraper_offline }}" when: "item in image_info.stdout and CONTAINER_RUNTIME == 'docker'" - - name: 导入 dashboard heapster的离线镜像(containerd) + - name: 导入 dashboard 的离线镜像(containerd) shell: "{{ bin_dir }}/ctr -n=k8s.io images import /opt/kube/images/{{ item }}" with_items: - "{{ dashboard_offline }}" - - "{{ heapster_offline }}" + - "{{ metricsscraper_offline }}" when: "item in image_info.stdout and CONTAINER_RUNTIME == 'containerd'" - name: 创建 dashboard部署 - shell: "{{ base_dir }}/bin/kubectl apply -f {{ base_dir }}/manifests/dashboard && \ - {{ base_dir }}/bin/kubectl apply -f {{ base_dir }}/manifests/heapster/heapster-only" + shell: "{{ base_dir }}/bin/kubectl apply -f {{ base_dir }}/manifests/dashboard" run_once: true connection: local when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"' diff --git a/tools/easzup b/tools/easzup index 3651fa3..92e58d8 100755 --- a/tools/easzup +++ b/tools/easzup @@ -184,9 +184,9 @@ function get_offline_image() { # images needed by k8s cluster calicoVer=v3.4.4 corednsVer=1.6.2 - dashboardVer=v1.10.1 + dashboardVer=v2.0.0-beta5 + dashboardMetricsScraperVer=v1.0.1 flannelVer=v0.11.0-amd64 - heapsterVer=v1.5.4 metricsVer=v0.3.6 pauseVer=3.1 traefikVer=v1.7.12 @@ -214,9 +214,9 @@ function get_offline_image() { docker pull easzlab/flannel:${flannelVer} && \ docker save -o ${imageDir}/flannel_${flannelVer}.tar easzlab/flannel:${flannelVer} fi - if [[ ! -f "$imageDir/heapster_$heapsterVer.tar" ]];then - docker pull mirrorgooglecontainers/heapster-amd64:${heapsterVer} && \ - docker save -o ${imageDir}/heapster_${heapsterVer}.tar mirrorgooglecontainers/heapster-amd64:${heapsterVer} + if [[ ! -f "$imageDir/metrics-scraper_$dashboardMetricsScraperVer.tar" ]];then + docker pull kubernetesui/metrics-scraper:${dashboardMetricsScraperVer} && \ + docker save -o ${imageDir}/metrics-scraper_${dashboardMetricsScraperVer}.tar kubernetesui/metrics-scraper:${dashboardMetricsScraperVer} fi if [[ ! -f "$imageDir/metrics-server_$metricsVer.tar" ]];then docker pull mirrorgooglecontainers/metrics-server-amd64:${metricsVer} && \