目录
- 创建ratel的配置文件
- 创建RBAC
- 部署ratel
- 创建service
- 后续操作
- 使用Ratel创建Deployment
- Volume配置
- Container配置
- Init Container配置
- Service配置
- Ingress配置
- 创建资源
创建ratel的配置文件
servers.yaml是ratel的配置文件, 格式如下:
- serverName: 'test1'
serverAddress: 'https://1.1.1.1:8443'
#serverAdminUser: 'test1'
#serverAdminPassword: 'test1#'
serverAdminToken: 'null'
serverDashboardUrl: "https://k8s.test1.com.cn"
production: 'false'
kubeConfigPath: "/mnt/test1.config"
其中管理的方式有两种(Token暂不支持):
账号密码和kubeconfig形式, 只需配置一种即可, kubeconfig优先级高
参数说明:
serverName: 集群别名
serverAddress: Kubernetes APIServer地址
serverAdminUser: Kubernetes管理员账号(需要配置basic auth)
serverAdminPassword: Kubernetes管理员密码
serverAdminToken: Kubernetes管理员Token // 暂不支持
serverDashboardUrl: Kubernetes官方dashboard地址
kubeConfigPath: Kubernetes kube.config路径(绝对路径)
kubeConfigPath 通过secret挂载到容器的/mnt目录或者其他目录
# 查看集群地址
root@master1:~# kubectl cluster-info
Kubernetes control plane is running at https://172.16.186.119:6443
CoreDNS is running at https://172.16.186.119:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
# 创建servers.yaml
root@master1:~# mkdir ratel && cd ratel
root@master1:~/ratel# cat servers.yaml
- serverName: 'opop-test1'
serverAddress: 'https://172.16.186.119:6443'
serverAdminToken: 'null'
serverDashboardUrl: "172.16.186.119" # 集群的VIP
production: 'false'
kubeConfigPath: "/root/test1.config"
# 创建Secret
# 其中test1.config是test1集群的配置文件,test2.config是test2集群的配置文件,需要一一对应
root@master1:~/ratel# cp ~/.kube/config kubeadm.config
root@master1:~/ratel# kubectl create secret generic ratel-config --from-file=/root/ratel/kubeadm.config --from-file=/root/ratel/servers.yaml -n kube-system
注:如有多个集群可用多个--from-file=xxx.config 项来指定, 如下示例
kubectl create secret generic ratel-config --from-file=test1.config --from-file=test2.config --from-file=servers.yaml -n kube-system
创建RBAC
# 创建权限管理namespace
root@master1:~# kubectl create ns kube-users
# 创建ClusterroleBinding
root@master1:~# vim ratel-rbac.yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: ratel-namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: ratel-resource-edit
rules:
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- services
- services/proxy
verbs:
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
- statefulsets/scale
verbs:
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
verbs:
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-resource-readonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
kind: List
metadata:
resourceVersion: ""
selfLink: ""
root@master1:~/ratel# kubectl create -f ratel-rbac.yaml
root@master1:~/ratel# vim ratel-rbac-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ratel-namespace-readonly-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:kube-users
root@master1:~/ratel# kubectl create -f ratel-rbac-binding.yaml
部署ratel
root@master1:~/ratel# vim ratel.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ratel
name: ratel
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ratel
template:
metadata:
labels:
app: ratel
spec:
containers:
- command:
- sh
- -c
- ./ratel -c /mnt/servers.yaml
env:
- name: TZ
value: Asia/Shanghai
- name: LANG
value: C.UTF-8
- name: ProRunMode
value: prod
- name: ADMIN_USERNAME
value: admin # web页面登录的账号
- name: ADMIN_PASSWORD
value: password # web页面登录的密码
image: dotbalo/ratel:v0.1alpha
livenessProbe:
failureThreshold: 2
initialDelaySeconds: 10
periodSeconds: 60
successThreshold: 1
tcpSocket:
port: 8888
timeoutSeconds: 2
name: ratel
ports:
- containerPort: 8888
name: web
protocol: TCP
readinessProbe:
failureThreshold: 2
initialDelaySeconds: 10
periodSeconds: 60
successThreshold: 1
tcpSocket:
port: 8888
timeoutSeconds: 2
resources:
limits:
cpu: 1000m
memory: 520Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- mountPath: /mnt
name: ratel-config
restartPolicy: Always
volumes:
- name: ratel-config
secret:
defaultMode: 420
secretName: ratel-config
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ratel
name: ratel
namespace: kube-system
spec:
ports:
- name: container-1-web-1
nodePort: 32568
port: 8888
protocol: TCP
targetPort: 8888
selector:
app: ratel
type: NodePort
以下内容按需更改:
ProRunMode: 区别在于dev模式打印的是debug日志, 其他模式是info级别的日志, 实际使用时应该配置为非dev
ADMIN_USERNAME: ratel自己的web登录管理员账号
ADMIN_PASSWORD: ratel自己的web登录管理员密码
实际使用时账号密码应满足复杂性要求,因为ratel可以直接操作所有配置的资源。
其他无需配置, 端口配置暂不支持。
root@master1:~/ratel# kubectl apply -f ratel.yaml
创建service
root@master1:~/ratel# vim ratel-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: ratel
name: ratel
namespace: kube-system
spec:
ports:
- name: container-1-web-1
port: 8888
protocol: TCP
targetPort: 8888
selector:
app: ratel
type: NodePort
root@master1:~/ratel# kubectl apply -f ratel-service.yaml
后续操作
root@master1:~/ratel# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 27h
ratel NodePort 10.100.120.156 <none> 8888:32568/TCP 2m46s
注:ratel这个svc的类型是NodePort,后面的32568端口记下
root@master1:~/ratel# hostname -I
172.16.186.111 172.17.0.1 10.244.0.0
web登录
登录后可以查看到集群列表
点击左上角 Cluster---kubeadm 可以查看到当前集群部分信息
单击资源数量可以查看资源列表,比如Node
使用Ratel创建Deployment
点击Deployment --> 创建
填写说明
选择集群: 选择之前配置的集群, 按serverName区分,选择集群后,会自动弹出Namespace的选择框。
Namespace: 当前Deployment需要创建在哪个Namespace,Namespace的选择框支持搜索功能。
尽量部署至不同宿主机: 此选项相当于添加了一个Pod的Affinity的软策略,基于selector实现。
部署至不同宿主机: 此选项相当于添加了一个Pod的Affinity的硬性策略策略,基于selector实现。
更新策略: Deployment的更新策略,此处和DaemonSet和StatefulSet更新策略不一致。
副本数: Pod的个数,可以使用鼠标滚轮或者直接键入的方式更改。
私有仓库Secret: 用于私有仓库镜像下载的账号密码,需要提前创建,点击刷新会自动获取集群的docker registry类型的secret。
可选参数配置
Volume配置
基本配置填写完成以后,点击Next(必须)进入到填写Volume的视图
如下图所示,目前所支持的Volume配置有HostPath、Secret、ConfigMap、EmptyDir、PVC
下述的Secret、ConfigMap、PVC、StorageClass无需手动输入,单击刷新后即可自动自动获取到当前集群的相关信息
Container配置
填写完Volume配置以后,点击Next填写Container配置
Container1 配置
释义说明:
Container配置目前几乎支持所有常见配置,Container的名称会在Deployment名称键入后自动填写一个默认的,可以按需修改。
可以配置多个Container,按需添加、修改和删除。
启动命令和启动参数按需修改,逗号分隔,如果启动命令或者启动参数含有逗号,需要以变量的方式传入,比如启动命令是--configEnv=test1,prd
此时test1,prd需要配置成变量,之后通过--configEnv=$ConfigEnv注入
集群的CPU和内存资源按需配置,直接拖动即可
健康检查按需配置,目前支持httpGet、tcpSocket、exec方式
preStop和postStart按需配置。
高权限运行是添加privilege=true参数至Container
容器端口按需配置和添加,目前支持三种协议配置
容器环境变量,支持三种方式的容器变量配置,按需添加、修改和删除
字符变量: key value变量,不能留空。
EnvFrom: 从ConfigMap和Secret中获取变量配置
ValueFrom: 目前支持FieldRef、ConfigMapRef、SecretRef和ResourceFieldRef配置
文件挂载配置:
文件挂载配置必须先添加Volume配置,否则无法创建文件挂载
Volume名称自动获取创建Volume
Container 2配置
Init Container配置
Init Container配置和Container大致相同
Service配置
创建Deployment、DaemonSet和StatefulSet的页面,嵌入了简单的Service和Ingress配置。
如图所示,在配置完Container后,如果需要添加Service(默认不添加),在开启service配置后,会根据container的端口配置自动生成Service的配置,可以按需修改、添加和删除。此页面Service仅支持ClusterIP和NodePort两种类型。
Ingress配置
如图所示,在配置完Service后,如果需要添加Ingress(默认不添加),在开启Ingress后,会根据Service配置默认生成一个Ingress配置,可以按需修改、添加和删除。
如需开启https,需要提前添加tls类型的域名证书,点击刷新后即可自动读取当前集群的当前Namespace的tls类型的证书列表,无tls类型的证书无法开启https。
去除前缀的意思是: 访问www.test1.com/a/test.html 会自动变成www.test1.com/test.html。
创建资源
上述有不规范填写,比如名称不能包含大写的,Ratel会自动转换为小写
创建资源查看
相对于手动创建,不仅降低了出错概率,同时也无需掌握yaml文件的每个参数含义,大大提高了k8s集群的管理效率
查看创建的Deployment
root@master1:~/ratel# kubectl get deploy <deployment-name> -o yaml
查看创建Service
root@master1:~/ratel# kubectl get svc <SVC-NAME> -o yaml
Ingress配置
root@master1:~/ratel# kubectl get ingress <INGRESS-NAME> -o yaml