您现在的位置是:主页 > news > php电商网站开发流程图/百度大盘指数
php电商网站开发流程图/百度大盘指数
admin2025/6/4 1:29:51【news】
简介php电商网站开发流程图,百度大盘指数,西安做网站哪里价格低,建一个电商网站要多少钱安装使用 k8s 原生的 web 图形化界面来对资源进行查看与管理在官网查看镜像版本Docker Hub所有工作节点拉取镜像 docker pull kubernetesui/dashboard:v2.4.0 docker pull kubernetesui/metrics-scraper:latest 获取官方yamlWeb 界面 (Dashboard) | Kubernetes编辑 yaml mv re…
php电商网站开发流程图,百度大盘指数,西安做网站哪里价格低,建一个电商网站要多少钱安装使用 k8s 原生的 web 图形化界面来对资源进行查看与管理在官网查看镜像版本Docker Hub所有工作节点拉取镜像 docker pull kubernetesui/dashboard:v2.4.0 docker pull kubernetesui/metrics-scraper:latest 获取官方yamlWeb 界面 (Dashboard) | Kubernetes编辑 yaml mv re…
- 安装使用 k8s 原生的 web 图形化界面来对资源进行查看与管理
- 在官网查看镜像版本
Docker Hub- 所有工作节点拉取镜像
docker pull kubernetesui/dashboard:v2.4.0
docker pull kubernetesui/metrics-scraper:latest
- 获取官方yaml
Web 界面 (Dashboard) | Kubernetes- 编辑 yaml
mv recommended.yaml kubernetes-dashboard.yaml
vim kubernetes-dashboard.yaml# Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License.apiVersion: v1 kind: Namespace metadata:name: kubernetes-dashboard---apiVersion: v1 kind: ServiceAccount metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Service apiVersion: v1 metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard spec:ports:- port: 443targetPort: 8443selector:k8s-app: kubernetes-dashboardtype: NodePort---apiVersion: v1 kind: Secret metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboard type: Opaque---apiVersion: v1 kind: Secret metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-csrfnamespace: kubernetes-dashboard type: Opaque data:csrf: ""---apiVersion: v1 kind: Secret metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-key-holdernamespace: kubernetes-dashboard type: Opaque---kind: ConfigMap apiVersion: v1 metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-settingsnamespace: kubernetes-dashboard---kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard rules:# Allow Dashboard to get, update and delete Dashboard exclusive secrets.- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics.- apiGroups: [""]resources: ["services"]resourceNames: ["heapster", "dashboard-metrics-scraper"]verbs: ["proxy"]- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]verbs: ["get"]---kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard rules:# Allow Metrics Scraper to get metrics from the Metrics server- apiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: kubernetes-dashboard roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kubernetes-dashboard subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Deployment apiVersion: apps/v1 metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:containers:- name: kubernetes-dashboardimage: kubernetesui/dashboard:v2.4.0imagePullPolicy: IfNotPresentports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates- --namespace=kubernetes-dashboard# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboardnodeSelector:"beta.kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule---kind: Service apiVersion: v1 metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard spec:ports:- port: 8000targetPort: 8000selector:k8s-app: dashboard-metrics-scraper---kind: Deployment apiVersion: apps/v1 metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: dashboard-metrics-scrapertemplate:metadata:labels:k8s-app: dashboard-metrics-scraperannotations:seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'spec:containers:- name: dashboard-metrics-scraperimage: kubernetesui/metrics-scraper:latestimagePullPolicy: IfNotPresentports:- containerPort: 8000protocol: TCPlivenessProbe:httpGet:scheme: HTTPpath: /port: 8000initialDelaySeconds: 30timeoutSeconds: 30volumeMounts:- mountPath: /tmpname: tmp-volumesecurityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001serviceAccountName: kubernetes-dashboardnodeSelector:"beta.kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedulevolumes:- name: tmp-volumeemptyDir: {}
- kubectl apply -f kubernetes-dashboard.yaml
打开浏览器访问:https://192.168.1.30:31168/
- 通过管理员 Token 登陆 dashboard
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
获取 token复制到 输入 token 处: 点登陆
- 通过普通权限 token 令牌登录 dashboard
- 1.创建一个只能管理指定名称空间的 token
以下步骤在 k8s 的控制节点操作
(1)在 lucky 命名空间创建一个 lucky 的 serviceaccount 账户
kubectl create namespace lucky
kubectl create serviceaccount lucky-admin -n lucky
(2)把 lucky 用户做 rolebingding 绑定
kubectl create rolebinding lucky-admin -n lucky --clusterrole=cluster-admin --serviceaccount=lucky:lucky-admin
(3)查看 secret
kubectl get secrets -n lucky 显示如下:
kubectl describe secrets -n lucky lucky-admin-token-ctbtl 显示如下:
上面的 token 输入到 web 界面的令牌认证处,登陆之后只能看到 lucky 的命名空间
- 通过 kubeconfig 登录 dashboard
- 把 token 令牌封装成 kubeconfig,通过 kubeconfig 登陆 dashboard
- 1.创建一个只能管理指定名称空间的 kubeconfig 文件
以下步骤在 k8s 的 master 节点操作
cd /etc/kubernetes/pki
(1)创建 cluster
kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://192.168.1.30:6443" --embed-certs=true --kubeconfig=/root/luckyadmin.conf
(2)创建 credentials 时需要使用上面我门创建的 token 信息
kubectl get secret -n lucky
DEF_NS_ADMIN_TOKEN=$(kubectl get secret lucky-admin-token-ctbtl -n lucky -o jsonpath={.data.token}|base64 -d)
(3)开始创建 credentials
kubectl config set-credentials lucky --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/lucky-admin.conf
(4)创建 context
kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky --kubeconfig=/root/lucky-admin.conf
(5)切换 context 的 current-context 是 lucky@kubernetes
kubectl config use-context lucky@kubernetes --kubeconfig=/root/lucky-admin.conf
(6)把刚才的 kubeconfig 文件 lucky-admin.conf 复制到桌面
浏览器访问时使用 kubeconfig 认证,把刚才的 lucky-admin.conf 导入到 web 界面,那么就可以登陆了
- 限制用户操作 k8s 资源
- ssl 认证
生成一个证书
(1)生成一个私钥
cd /etc/kubernetes/pki/
(umask 077; openssl genrsa -out lucky.key 2048)
(2)生成一个证书请求
openssl req -new -key lucky.key -out lucky.csr -subj "/CN=lucky"
(3)生成一个证书
openssl x509 -req -in lucky.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650
在 kubeconfig 下新增加一个 lucky 这个用户
(1)把 lucky 这个用户添加到 kubernetes 集群中,可以用来认证 apiserver 的连接
kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true
(2)在 kubeconfig 下新增加一个 lucky 这个账号
kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky
(3)切换账号到 lucky,默认没有任何权限
kubectl config use-context lucky@kubernetes
kubectl config use-context kubernetes-admin@kubernetes 这个是集群用户,有任何权限
把 user 这个用户通过 rolebinding 绑定到 clusterrole 上,授予权限,权限只是在 lucky 这个名称
空间有效
(1)把 lucky 这个用户通过 rolebinding 绑定到 clusterrole 上
kubectl create rolebinding lucky -n lucky --clusterrole=cluster-admin --user=lucky
(2)切换到 lucky 这个用户
kubectl config use-context lucky@kubernetes
(3)测试是否有权限
kubectl get pods -n lucky
有权限操作这个名称空间
kubectl get pods
没有权限操作其他名称空间
添加一个 lucky 的普通用户
useradd lucky
cp -ar /root/.kube/ /home/lucky/
chown -R lucky.lucky /home/lucky/
su - lucky
kubectl get pods -n lucky
#可以操作 lucky 名称空间
exit
#切换到 kubernetes-admin@kubernetes
kubectl config use-context kubernetes-admin@kubernetes
