kubernetes-dashboard 安装及介绍

k8s-dashboard 安装及介绍

安装 dashboard UI

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

查看是否安装成功:

kubectl get svc,pod --all-namespaces

NAMESPACE     NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE

...
kube-system   service/kubernetes-dashboard   ClusterIP   10.110.187.255   <none>        443/TCP         86m

NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
...
kube-system   pod/kubernetes-dashboard-57df4db6b-jjqhf   1/1     Running   8          86m

注:如果出现image pull错误,可以用私有仓库 先查看images:

cat kubernetes-dashboard.yaml | grep image
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

然后将"k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" 替换为 "mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1",用docker下载下来然后上传私有仓库,具体可参考(https://mp.weixin.qq.com/s/cV74onbtzTubrrhOl_Qi8w)。

Argument nameDefault valueDescription
insecure-port9090The port to listen to for incoming HTTP requests.
port8443The secure port to listen to for incoming HTTPS requests.
insecure-bind-address127.0.0.1The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces).
bind-address0.0.0.0The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces).
default-cert-dir/certsDirectory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. Relative to the container, not the host.
tls-cert-file-File containing the default x509 Certificate for HTTPS.
tls-key-file-File containing the default x509 private key matching --tls-cert-file.
apiserver-host-The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
api-log-levelDEFAULTSet or disable API request logging.<br />DEFAULT sanitizes potentially sensitive URLS<br />DEBUG outputs all request output (even if sensitive)<br />NONE disables all request logging
heapster-host-The address of the Heapster to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
kubeconfig-Path to kubeconfig file with authorization and master location information.
token-ttl15 minutesExpiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires.
authentication-modetokenEnables authentication options that will be reflected on login screen. Supported values: token, basic. Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set.
metric-client-check-period30 secondsTime in seconds that defines how often configured metric client health check should be run.
auto-generate-certificatesfalseWhen set to true, Dashboard will automatically generate certificates used to serve HTTPS.
enable-insecure-loginfalseWhen enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Still, it requires frontend to be accessed over HTTPS (i.e. secure nginx proxy).
system-banner-When non-empty displays message to Dashboard users. Accepts simple HTML tags.
system-banner-severityINFOSeverity of system banner. Should be one of 'INFO,WARNING,ERROR'.
disable-settings-authorizerfalseWhen enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
enable-skip-loginfalseWhen enabled, the skip button on the login page will be shown.

通过kube-proxy访问

kubectl proxy – 为Kubernetes API server启动代理服务器:

Options:
      --accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$': Regular expression for hosts that the proxy should accept.
      --accept-paths='^.*': Regular expression for paths that the proxy should accept.
      --address='127.0.0.1': The IP address on which to serve on.
      --api-prefix='/': Prefix to serve the proxied API under.
      --disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
      --keepalive=0s: keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable
keepalive.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods='^$': Regular expression for HTTP methods that the proxy should reject (example
--reject-methods='POST,PUT,PATCH'). 
      --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject. Paths specified here will be rejected even accepted by --accept-paths.
  -u, --unix-socket='': Unix socket on which to run the proxy.
  -w, --www='': Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.

Usage:
  kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

因为为了在不同服务器上可以访问到,因此要设置--accept-hosts--address两个参数。

kubectl proxy --address='0.0.0.0' --port=8001 --accept-hosts='^localhost$,^192\.168\.1\.122$'

构建登陆访问权限

打开地址http://192.168.1.122:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/:

可以在浏览器访问,官方提供了两种认证方式,一种是kubeconfig,一种是令牌token。

token令牌登陆

k8s各服务有自己的token:

kubectl get secret -n kube-system

NAME                                             TYPE                                  DATA   AGE
attachdetach-controller-token-8kh8n              kubernetes.io/service-account-token   3      21h
bootstrap-signer-token-htm5l                     kubernetes.io/service-account-token   3      21h
bootstrap-token-ngcxcv                           bootstrap.kubernetes.io/token         7      21h
calico-node-token-4wkts                          kubernetes.io/service-account-token   3      20h
certificate-controller-token-dzvlt               kubernetes.io/service-account-token   3      21h
clusterrole-aggregation-controller-token-qpvfv   kubernetes.io/service-account-token   3      21h
coredns-token-hdk66                              kubernetes.io/service-account-token   3      21h
cronjob-controller-token-tmvgn                   kubernetes.io/service-account-token   3      21h
daemon-set-controller-token-wxfbl                kubernetes.io/service-account-token   3      21h
default-token-67lzs                              kubernetes.io/service-account-token   3      21h
deployment-controller-token-ps2sn                kubernetes.io/service-account-token   3      21h
disruption-controller-token-qhncp                kubernetes.io/service-account-token   3      21h
endpoint-controller-token-mq29n                  kubernetes.io/service-account-token   3      21h
expand-controller-token-qv82t                    kubernetes.io/service-account-token   3      21h
generic-garbage-collector-token-4bklk            kubernetes.io/service-account-token   3      21h
horizontal-pod-autoscaler-token-4nn7k            kubernetes.io/service-account-token   3      21h
job-controller-token-hmjcx                       kubernetes.io/service-account-token   3      21h
kube-proxy-token-phvpr                           kubernetes.io/service-account-token   3      21h
kubernetes-dashboard-certs                       Opaque                                0      143m
kubernetes-dashboard-csrf                        Opaque                                1      143m
kubernetes-dashboard-key-holder                  Opaque                                2      76m
kubernetes-dashboard-token-tpvvp                 kubernetes.io/service-account-token   3      143m
namespace-controller-token-9jm46                 kubernetes.io/service-account-token   3      21h
node-controller-token-lvw87                      kubernetes.io/service-account-token   3      21h
persistent-volume-binder-token-sn2zf             kubernetes.io/service-account-token   3      21h
pod-garbage-collector-token-gmwb6                kubernetes.io/service-account-token   3      21h
pv-protection-controller-token-r566m             kubernetes.io/service-account-token   3      21h
pvc-protection-controller-token-sh8x9            kubernetes.io/service-account-token   3      21h
replicaset-controller-token-bd724                kubernetes.io/service-account-token   3      21h
replication-controller-token-h7bt6               kubernetes.io/service-account-token   3      21h
resourcequota-controller-token-qrj5l             kubernetes.io/service-account-token   3      21h
service-account-controller-token-5brbw           kubernetes.io/service-account-token   3      21h
service-controller-token-ln82n                   kubernetes.io/service-account-token   3      21h
statefulset-controller-token-b9jlj               kubernetes.io/service-account-token   3      21h
token-cleaner-token-9lzqb                        kubernetes.io/service-account-token   3      21h
ttl-controller-token-58rdc                       kubernetes.io/service-account-token   3      21h

我们通过kubectl describe secret可以看到具体服务的token:

kubectl describe secret deployment-controller-token-ps2sn -n kube-system
Name:         deployment-controller-token-ps2sn
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: deployment-controller
              kubernetes.io/service-account.uid: e3dff2a1-2095-11e9-b54b-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tcHMyc24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTNkZmYyYTEtMjA5NS0xMWU5LWI1NGItNTI1NDAwMzAwOGFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.d_GQotLp38_5GOMCHy2sn9zvgTThnSo4cUN5PkRbKyLtT16zl1MtFadOogLc7iVllNgDGAzHHAbo73m35gi1j0H_o0A742wZq4gLS-06r4UPfhpU9IoGhYZusYOY-RvBkjm7PZbKhudxwStdP44HhwaqdoX2wMwZgT8mrVd74VEs988zPEaM-QAKYLhYgOEAlEFvXnFfzm2dRD9LtK7m1JrlmevmtONfucEPpJiVuAhYBYq31KZ6YOya0Py8tInd8S-9_pmBmNVCYE2MzyFLWJ5uJhmdefqNWwTgKaKHWOsczqDecnRaSuF97Qje7udwVeVjNTeCwUzOZAfPlHLe-Q

但每个服务的token都权限都不同,不一定符合我们的需求,因此我们需要建立自己的ClusterRole,并赋予权限。

创建user-shikanon.yaml文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-shikanon
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: user-shikanon
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: user-shikanon
  namespace: kube-system

启动服务:

[root@master ~]# kubectl create -f user-shikanon.yaml

serviceaccount/user-shikanon created
clusterrolebinding.rbac.authorization.k8s.io/user-shikanon created

查看user-shikanon服务的token:

[root@master ~]# kubectl describe secret user-shikanon --namespace=kube-system
Name:         user-shikanon-token-6t5rd
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: user-shikanon
              kubernetes.io/service-account.uid: f290b948-2149-11e9-a469-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ1c2VyLXNoaWthbm9uLXRva2VuLTZ0NXJkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXItc2hpa2Fub24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMjkwYjk0OC0yMTQ5LTExZTktYTQ2OS01MjU0MDAzMDA4YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06dXNlci1zaGlrYW5vbiJ9.Ap6MY85X38mVGXqEe7T8UW-RHNXWWJZ06eKKXMKutRJUKDNcfKKV0Y1o_CsWLfSNjqNjRCoTYs4x73vHwo6LkrXrzKoyh7VZytcMxpwV7FiLAMU0OFia179WROAIEpvZ1AsK94X2NM3zBS4I3pVNK_OLM4wuOBLcX9bkFscBRufs3SvgtA64t8_vq4udgoQdERdnK3EiPBgpZEjnGQIK_o-kgGKviXhS892r2QD9y_YlrFyY6Gu4xPRew_k2jPpFpZNyjYp3pKWw6DnGKBN39M7T5igLnSXJEQGp1mXgYrgWBL-IQeWtRTVcpBIeRFa5AoPMfPcv5x4AsWHK_rF1_A

kubeconfig登陆

在.kube/config找到kubeconfig文件,或者重新创建一个kubeconfig文件,在config文件末尾加上一个token字段即可:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ERXlOVEV4TXpneU1Wb1hEVEk1TURFeU1qRXhNemd5TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTERlCnVEYkNXSTVnMUhjaithdFVDdmlEK3dlM054VnVkV28rVWMvbWJFV3lyemM3WFp1RGdJZHNqNXRpV3hmMWNDVGYKeW9qU21OcC9ldmtUa2YxSGIzSmJOYjhFNG5oSE1TdzMwQkpNd1JxbTZaMVdQRnArNkRUdlZzT25CVnlDY1FRNwo0MEJWTnpyOTdXMTlkRi9JYXp4ODBqblRVT3NJNFczMXE3QkEvZ2E0anZVRnZQbnY3TVU5dm1XeCt4NWRJVmoyCjRDY1NzV0hBNVpiNm1RU050WlNtTWIxYnFZa0NHVGdPbWkrWDhDQzVaZmRtU1BmWmRUdlhOMlJVdzdmVXRZdlMKYTJuL3JwZFFzZ0s0NEthQXRHSmhta1dFci9hbkpVa1FlTEpMdjRpYVZXVnpHWEV0SkRqZkY1T0x6YVlvd2JpbApwT3hjMUIyTzk2TWV4NzljOHVVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHcC92MURIUlV1ODBiSjVKQy81eHRJVEVCelYKeVZZd1d2NUpsNDRkMFhVdlJqV2FOUXF5TUYwRVJYYXBjMWdSVjV1WitROWxUN3JPcVgvWlozNHFoSS9tdmhNRgpyRUh6NW9yK09waS9HNFYwK20xYysxOE9ya3h2ZHJjcFVYa1ArVW5kM09lV0VrUjNHREhxcU5YVHlEcWZybWR2Cmh2NTNwQ0F2NkFOKzRJUWJxd3RsWU5GZWhHN09IdEl4ZDdGSFJHcGZKTTFlUXJ3M09sYzhreDVkSkltS0tPYXgKZm9uVzBkOXdOTmVhVlVDMmh4cFFWVFlJbjBXamUxcGtVTEdUaTVqcjZZL2tBZ0hhU1BKNTR5TFhzbzhMTHBvVApGMEN0TnRWOG8zczQ2Z0ZvMW1uQUQxYXh1WjlnTTNUZTcrSkNnRVlhTlgxak1SMVFwWFpraysydGYzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.1.120:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVHB1b3ZjbElYdVV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBeE1qVXhNVE00TWpGYUZ3MHlNREF4TWpVeE1UTTRNakphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBPMlZMVDhENlIwVFMyRFoKb0tOZGlBcVJ3amVkWlo4Y29FdVBneTZpNlVReU9qQUt4OVZaeVJ6bWIyTWU1aFpHSXdLVGcyNW92YWw3ZWY4RApwc2FqYUhOa2NZSVd6S0Y0Yks0ZGtndlRudE5yUGxpazA5WFQxWTAwZUF0ZmpySjMrZWwzcEd1eGFPWENzZVQ3CjVLR0pINkdWWllpeGhMekF4bnpGd3lpdlFFcDVjVFl1RVhvZUZnOXBTekRhRFV5M2orUnBqRWhEdjdraVZpWGQKTE5yVGg0ZFB2ZWZhd21KTE8yYk9qUkI5MDB4dkpLMkF2NmtiV0M0U2wzQnF1SjhyVERoM21IeDQzOXVSNnpDZgpsNkYrbC9qRVBBRFJQQzVrTEJhUzVMT3JmcFlBM244MWNKYVRVeWROeGtIbDkzVTZiSnNQNXhPblBrOFpxUC9iClNhaWVrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJRVl0MjBQVDJnWm1UMmx3amYyYjIvdGc0OUJMNFJObTl4dgp1RkVmK3F1SklqcHJpMFV0TVJUZE5lV2ZiZTJvZWMrbm1SNk5CSGhUMnlhYVMrQjJ5SUZvOVVWckZENXdYVUsrCnVVN0NCRk55cHZRTzlHVXJYaGFYa1lKUkJNQ21XM2d6T1RqdXVFaGNMd0lHZGRWdlI4Wkh5M245Y084czAzU2sKUmtuMlZmL0hjQnRvbnRUWENGTXpidFA0UnZnYXlMN2c5NGpsN25OQ1hBVEU1K1h5OHZKcm5NSXhUbVQwTnVFNgpBVG43RG1Hb2V0Q2kySnJqZFpqcUR5N3FqbjhOZGQ1Qmh4OWkvWThyTXVWTC9GTWIrRVk4SzM3U2IxTmM1U21rCkNtUjNGakZZYjJUVDRZeHdtMWFPM0Rvd0lOWDVDdkd4aTNHS0F4QjJydGZQSUpLOEhydz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBME8yVkxUOEQ2UjBUUzJEWm9LTmRpQXFSd2plZFpaOGNvRXVQZ3k2aTZVUXlPakFLCng5Vlp5UnptYjJNZTVoWkdJd0tUZzI1b3ZhbDdlZjhEcHNhamFITmtjWUlXektGNGJLNGRrZ3ZUbnROclBsaWsKMDlYVDFZMDBlQXRmanJKMytlbDNwR3V4YU9YQ3NlVDc1S0dKSDZHVlpZaXhoTHpBeG56Rnd5aXZRRXA1Y1RZdQpFWG9lRmc5cFN6RGFEVXkzaitScGpFaER2N2tpVmlYZExOclRoNGRQdmVmYXdtSkxPMmJPalJCOTAweHZKSzJBCnY2a2JXQzRTbDNCcXVKOHJURGgzbUh4NDM5dVI2ekNmbDZGK2wvakVQQURSUEM1a0xCYVM1TE9yZnBZQTNuODEKY0phVFV5ZE54a0hsOTNVNmJKc1A1eE9uUGs4WnFQL2JTYWlla3dJREFRQUJBb0lCQURDdE9kVloyaXBreU1zRwpISTR0b2F3QmNtWkNtTnhGVHVFVjJiRGhtN2tuVjJCeE13SE45bVpCNG5wUEtMTEl1N3lLYkIzeUNsc3Q4b1BBCjQzUG0wY21USVBMRk1WU3B4aW5rQXlXMHRiQktaN0VWN0FraXg0RDRyaUhOM0l5ZGpoQmUwYTR3SFJ4b2M0MEkKNFpzcCs0MndFdU9lRG1YenFDSldqYWpqZ0xsRWRQUWtiM1RmQkx0amNOakdEclVKS1VLcmJLa3gzb2NlUmVNNgpRcG1oVUJSYk1LSGZzVWdLUEFkaDdtTTJYUDlGTG1rNmMyWlBWZWE2dld2eFpMd2kxSzJXZUpJblVicXYyYy9wCkFaQ0VUdmNKTEttSTFmMFRxeGY1WXlVK29FZXlJQUJta2RvMkhWMHcwUEF4OGw5V1U1T2dacVVQS1lPVHVlL2YKMWsva2ttRUNnWUVBNlJYYVE4Y1hjUTJIeDR1dE5abUJJbXlObDM5eVNGeG94bEJaNWgvY3VWdk1ncS9nbjFXRApWaVIwajJ0Uk41QzdPZzU0Mnh1dXNwR1RqWWxyRDhDM1YwN0ZpM0E3NTkxMUpOMzRsVnpPdHhLem94dk12RmFsCmV0bVNmUnBETUdIL08xN3NsTnowdi9DVDNUNENKbzA2Q3hpZHNKVW01UGc4NG5MSmI3eGl6M0VDZ1lFQTVYZkIKRGU0UVhJeTZEMXhQdWcvbjJGYklVaDErRElvdVNuWFRIRGtKejB5blViQ0UwdGZ1RC9qUmhmTHcwSUIyMjBmOAplRzA1a0RFS1I0TVoyVXFSdUpaZWUybUdLZis5eVFSaTRzbVNPT0x3ZDFkbjBBNlJKQUppR1ROUWhDQmF3UmpKCm9kckZVNUtmejR1QTZGcE8vS2w2M0h5N1RtelFOMUd0MTFoUGxFTUNnWUI4dmdjNzh0Y20xL2pzNEdIb3A2aW0KeGJYWmVJbXZGRlcybk5ZZ0JMbGFNamozVUMxRTJMMGJZeE5HbGthM0dDdzdXL2R1UEJoNDFOUkZFV0JNNC9TNwpNeHNpRHdUZ2lITGpNakNScjBPcVVzWDA2ekhkTWZvS0Qxc0l2UDlzYTJYdlhsUDdMMjJGTTduTzFCck9peEtmClVhTkRGKy9pNXIrZTZaUEl5dWVPNFFLQmdFVEFvTU0vdFA5RjJ1bUhTd3dBZ0FLOTNiOWN2c3ViQzB1Y0NlakcKM2oyU1JmK2YxK3drYmx1eXZYUlkyZlpleHoza1Q2ejFiTzNiQTYxeGhta29nb2kvNVFjdEV0bTZtbTZFTmV5bApZSDVTNEtHaE9xV0g5OHpHT2dZNjdjRG93TWhpV09kNTJPMjFYTlNlZzcwYWNkZ2FING00aFpaMTI5ejNTQkxoCmp0WnBBb0dBWEtRQjJBRk52cnRnWEg2MHFCRWJPaG9kZ2ZXRVA2QmtrNUpZSzY1U2o1ZFRaTmZlOG9JU3FKbFAKR0dlQnZMV1dVVUhScmMyUFpEcFpZTDJ4NGRvYndoWDJkYWJOWEFsQTFZczZJZmM2OG9oaWxpdm1PbktGRXBBMAo5RDJ6VXBqa0NzS3EybDFVSW9WczJSbTZ1dDJKcXB1WWs4SHJ3Z1BpYWtsclJtZ3FYbUU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    token: eyJhbGciOiJSUzI1NiIsIm

RBAC权限控制

Role 和 ClusterRole类型的权限控制

Role 只能用于授予对单个命名空间中的资源访问权限,在 RBAC API 中,Role 表示一组规则权限,权限只会增加(累加权限),不存在一个资源一开始就有很多权限而通过 RBAC 对其进行减少的操作。Role 可以定义在一个 namespace 中,如果想要跨 namespace 则可以创建 ClusterRole, ClusterRole 是集群级别的。

Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding 和 ClusterRoleBinding 类型的权限控制

RoloBinding 可以将角色中定义的权限授予用户或用户组,RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users, groups, or service accounts);RoloBinding 同样包含对被 Bind 的 Role 引用;RoleBinding 适用于某个命名空间内授权,而 ClusterRoleBinding 适用于集群范围内的授权。

RoleBinding:

# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding:

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

转载于:https://my.oschina.net/Kanonpy/blog/3006433

### 安装和部署 Kubernetes Dashboard 2.8.1 #### 准备工作 为了成功安装和配置Kubernetes Dashboard,确保集群已经正确设置并运行。Node节点应已启动`kubelet`, `kube-proxy`, 和其他必要的组件如Docker和Flannel网络插件[^1]。 #### 下载Dashboard资源清单文件 获取适用于版本2.8.1的官方YAML文件用于创建Dashboard实例。通常可以从GitHub仓库下载特定标签下的发布版: ```bash wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.8.1/aio/deploy/recommended.yaml ``` #### 修改资源配置 编辑上述命令拉取下来的`recommended.yaml`文件来适应具体的环境需求。特别是注意ServiceAccount, ClusterRoleBinding以及Deployment部分的内容以匹配实际使用的认证机制和服务暴露方式。 对于通过Token验证的方式,在完成部署之后可以按照如下方法查询Admin用户的Token: ```bash kubectl get secret -n kubernetes-dashboard | grep admin-user # 替换成你所定义的服务账户名称 kubectl describe secret $(kubectl get secrets -o name | grep admin-user) -n kubernetes-dashboard ``` 此过程会返回一个Base64编码后的token字符串,该字符串可用于登录界面的身份验证[^4]。 #### 应用配置至集群 当所有的准备工作完成后,就可以应用这些变更到Kubernetes环境中去了: ```bash kubectl apply -f recommended.yaml ``` 这一步骤将会在默认命名空间(`kubernetes-dashboard`)下建立所有必需的对象,包括但不限于Pods、Services等。 #### 访问仪表板UI 一旦确认所有Pod都处于Running状态,则可以通过浏览器访问外部IP地址加上指定端口的方式来打开Web UI页面。如果启用了HTTPS协议的话还需要提供相应的证书信息。 例如,假设服务被映射到了主机上的30002端口,那么完整的URL可能是这样的形式:`https://<master-node-ip>:30002/`。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值