K8S-Dashbord部署、Token、Kubeconfig认证登录
一、部署Dashbord
1.1、下载yaml文件
$wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml
1.2、修改端口资源类型
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部30001端口
打开yaml文件找到这一段
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
往里面添加nodePort:30001 以及type:NodePort
1.3、创建Pod
$kubectl apply -f recommended.yaml
$kubectl get pods,svc -n kubernetes-dashboard
1.4、浏览器访问dashboard
集群内访问:curl https://10.0.0.71:443
集群外访问: https://192.168.91.132:30001
二、登录dashboard
Dashboard提供两种认证方式:
2.1、Token
2.1.1、创建账号
在master node中创建service account并绑定默认cluster-admin管理员集群角色
#创建用户
$kubectl create serviceaccount dashboard-admin -n kube-system
# 用户授权
$kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 获取用户Token
$kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
复制打印出来的token到页面就可以登录了
2.2、Kubeconfig
同样需先创建用户以及分配角色,其实这种方式更像是Token的续集,
# 创建用户
$kubectl create serviceaccount dashboard-admin -n kube-system
# 用户授权
$kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 获取用户Token
$kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
获取到token后,生成dashbord.kubeconfig文件
#获取token文件名dashboard-admin-token-dc7tz
$kubectl get secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
#将上一步获取到的token文件名替换到这里
$DASH_TOKEN=$(kubectl get secret -n kube-system dashboard-admin-token-dc7tz -o jsonpath={.data.token}|base64 -d)
# 生成dashboard-admin.kubeconfig配置文件
$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.91.132:6443 \
--kubeconfig=dashboard-admin.kubeconfig
$kubectl config set-credentials dashboard-admin \
--token=$DASH_TOKEN \
--kubeconfig=dashboard-admin.kubeconfig
$kubectl config set-context dashboard-admin@kubernetes \
--cluster=kubernetes \
--user=dashboard-admin \
--kubeconfig=dashboard-admin.kubeconfig
$kubectl config use-context dashboard-admin@kubernetes --kubeconfig=dashboard-admin.kubeconfig
最后把生成的dashboard-admin.kubeconfig文件下载到本地,再通过浏览器选择此文件进行登录