安装Kubernetes资源管理平台(Ratel)

本文转载杜宽老师和51CTO博主mb601cf713ef4ca的文章

1.Ratel是什么?

        Ratel是一个Kubernetes资源平台,基于管理Kubernetes的资源开发,可以管理Kubernetes的Deployment、DaemonSet、StatefulSet、Service、Ingress、Pods、Nodes、Role、ClusterRole、Rolebinding、ClusterRoleBinding、Secret、ConfigMap、PV、PVC等。主要用于以图形化的方式管理k8s的各类资源,提高维护k8s集群的效率及降低出错的概率。

2.安装Ratel

        请查看最新文档: https://github.com/dotbalo/ratel-doc

   2.1   安装说明

        集群安装配置需要两类文件: servers.yaml和集群管理的kubeconfig文件      servers.yaml是ratel的配置文件, 格式如下        - serverName: 'xiqu'

          serverAddress: 'https://1.1.1.1:8443'
          #serverAdminUser: 'xxx'
          #serverAdminPassword: 'xxx#'
          serverAdminToken: 'null'
          serverDashboardUrl: "https://k8s.xxx.com.cn/#"
          production: 'false'
          kubeConfigPath: "/mnt/xxx.config"
          harborConfig: "HarborUrl, HarborUsername, HarborPassword, HarborEmail"
        其中管理的方式有两种: 
            账号密码和kubeconfig形式, 只需配置一种即可, kubeconfig优先级高

    参数解析:
        serverName: 集群别名
        serverAddress: Kubernetes APIServer地址
        serverAdminUser: Kubernetes管理员账号(需要配置basic auth)
        serverAdminPassword: Kubernetes管理员密码
        serverAdminToken: Kubernetes管理员Token
        serverDashboardUrl: Kubernetes官方dashboard地址,1.x版本需要添加/#!,2.x需要添加/#
        kubeConfigPath: Kubernetes kube.config路径(绝对路径)
        harborConfig: 对于多集群管理的情况下,可能会存在不同的harbor仓库,配置此参数可以在拷贝资源的时候自动替换harbor配置
    kubeConfigPath 通过secret挂载到容器的/mnt目录或者其他目录 

2.2 创建Secret
# 1、查看集群地址
       [root@k8s-master01 ~]# kubectl cluster-info    
       Kubernetes control plane is running at https://192.168.1.246:8443
    CoreDNS is running at https://192.168.1.246:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

    # 2、创建servers.yaml
    [root@k8s-master01 app]# mkdir Ratel && cd Ratel
    [root@k8s-master01 Ratel]# cat servers.yaml
    - serverName: 'test1'
      serverAddress: 'https://192.168.1.246:8443'
      serverAdminToken: 'null'
      serverDashboardUrl: "https://k8s.test1.com.cn/#!"
      production: 'false'
      kubeConfigPath: "/mnt/test1.config"

    # 3、copy配置文件
    [root@k8s-master01 Ratel]# cp /root/.kube/config  test1.config

    # 4、创建Secret
    [root@k8s-master01 Ratel]# kubectl create secret generic ratel-config  --from-file=test1.config --from-file=servers.yaml -n kube-system
    secret/ratel-config created
2.3 创建RBAC
  2.3.1、创建权限管理namespace
  [root@k8s-master01 Ratel]# kubectl create ns kube-users
  namespace/kube-users created
  2.3.2、创建ClusterroleBinding
  [root@k8s-master01 Ratel]# vim ratel-rbac.yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    annotations:
      rbac.authorization.kubernetes.io/autoupdate: "true"
    labels:
      kubernetes.io/bootstrapping: rbac-defaults
      rbac.authorization.k8s.io/aggregate-to-edit: "true"
    name: ratel-namespace-readonly
  rules:
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - metrics.k8s.io
    resources:
    - pods
    verbs:
    - get
    - list
    - watch
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: ratel-pod-delete
  rules:
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - get
    - list
    - delete
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: ratel-pod-exec
  rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - pods/log
    verbs:
    - get
    - list
  - apiGroups:
    - ""
    resources:
    - pods/exec
    verbs:
    - create
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    annotations:
      rbac.authorization.kubernetes.io/autoupdate: "true"
    name: ratel-resource-edit
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    - persistentvolumeclaims
    - services
    - services/proxy
    verbs:
    - patch
    - update
  - apiGroups:
    - apps
    resources:
    - daemonsets
    - deployments
    - deployments/rollback
    - deployments/scale
    - statefulsets
    - statefulsets/scale
    verbs:
    - patch
    - update
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - patch
    - update
  - apiGroups:
    - batch
    resources:
    - cronjobs
    - jobs
    verbs:
    - patch
    - update
  - apiGroups:
    - extensions
    resources:
    - daemonsets
    - deployments
    - deployments/rollback
    - deployments/scale
    - ingresses
    verbs:
    - patch
    - update
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: ratel-resource-readonly
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    - endpoints
    - persistentvolumeclaims
    - pods
    - replicationcontrollers
    - replicationcontrollers/scale
    - serviceaccounts
    - services
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - bindings
    - events
    - limitranges
    - namespaces/status
    - pods/log
    - pods/status
    - replicationcontrollers/status
    - resourcequotas
    - resourcequotas/status
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - apps
    resources:
    - controllerrevisions
    - daemonsets
    - deployments
    - deployments/scale
    - replicasets
    - replicasets/scale
    - statefulsets
    - statefulsets/scale
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - batch
    resources:
    - cronjobs
    - jobs
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - extensions
    resources:
    - daemonsets
    - deployments
    - deployments/scale
    - ingresses
    - networkpolicies
    - replicasets
    - replicasets/scale
    - replicationcontrollers/scale
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - metrics.k8s.io
    resources:
    - pods
    verbs:
    - get
    - list
    - watch
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

# create
[root@k8s-master01 Ratel]# kubectl create -f ratel-rbac.yaml
clusterrole.rbac.authorization.k8s.io/ratel-namespace-readonly created
clusterrole.rbac.authorization.k8s.io/ratel-pod-delete created
clusterrole.rbac.authorization.k8s.io/ratel-pod-exec created
clusterrole.rbac.authorization.k8s.io/ratel-resource-edit created
clusterrole.rbac.authorization.k8s.io/ratel-resource-readonly created

  2.4  部署ratel

     

ratel的部署文件内容如下
[root@k8s-master01 Ratel]# vim ratel.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ratel
  name: ratel
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratel
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ratel
    spec:
      containers:
        - command:
            - sh
            - -c
            - ./ratel -c /mnt/servers.yaml
          env:
            - name: TZ
              value: Asia/Shanghai
            - name: LANG
              value: C.UTF-8
            - name: ProRunMode
              value: prod
            - name: ADMIN_USERNAME
              value: admin
            - name: ADMIN_PASSWORD
              value: password
          image: registry.cn-beijing.aliyuncs.com/dotbalo/ratel:latest
          imagePullPolicy: Always
          livenessProbe:
            failureThreshold: 2
            initialDelaySeconds: 10
            periodSeconds: 60
            successThreshold: 1
            tcpSocket:
              port: 8888
            timeoutSeconds: 2
          name: ratel
          ports:
            - containerPort: 8888
              name: web
              protocol: TCP
          readinessProbe:
            failureThreshold: 2
            initialDelaySeconds: 10
            periodSeconds: 60
            successThreshold: 1
            tcpSocket:
              port: 8888
            timeoutSeconds: 2
          resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 500m
              memory: 512Mi
          volumeMounts:
            - mountPath: /mnt
              name: ratel-config
      dnsPolicy: ClusterFirst
      #imagePullSecrets:
      #  - name: myregistrykey
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: ratel-config
          secret:
            defaultMode: 420
            secretName: ratel-config
需要更改的内容如下:
    ProRunMode: 区别在于dev模式打印的是debug日志, 其他模式是info级别的日志, 实际使用时应该配置为非dev
    ADMIN_USERNAME: ratel自己的管理员账号
    ADMIN_PASSWORD: ratel自己的管理员密码
    实际使用时账号密码应满足复杂性要求,因为ratel可以直接操作所有配置的资源。
    其他无需配置, 端口配置暂不支持。
    
# create Deployment
[root@k8s-master01 Ratel]# kubectl create -f  ratel.yaml
deployment.apps/ratel created

   2.5、Service和Ingress配置

        

注意:如果没有安装ingress controller,需要把type: ClusterIP改成type: NodePort,然后通过主机IP+Port进行访问
# 创建ratel Service的文件如下、创建ratel Ingress
[root@k8s-master01 Ratel]# vim ratel-svc.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    app: ratel
  name: ratel
  namespace: kube-system
spec:
  ports:
    - name: container-1-web-1
      port: 8888
      protocol: TCP
      targetPort: 8888
  selector:
    app: ratel
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ratel
  namespace: kube-system
spec:
  rules:
  - host: krm.test.com
    http:
      paths:
      - backend:
          serviceName: ratel
          servicePort: 8888
        path: /
[root@k8s-master01 Ratel]# kubectl create -f   ratel-svc.yaml  
service/ratel created
ingress.extensions/ratel created

# 查看部署在那个节点
[root@k8s-master01 ~]# kubectl get pod -n kube-system -owide查看部署在那个节点