Kubernetes入门学习-十八-dashboard认证及分级授权

最近学习k8s遇到很多问题,建了一个qq群:153144292,交流devops、k8s、docker等

Kubernetes dashboard认证及分级授权

认证、授权

API server:

Subject-->action-->object

认证

Token、tls、user/password

账号:UserAccount、ServiceAccount

授权

RBAC

role、rolebinding

clusterrole、clusterrolebinding

 

rolebinding、clusterrolebinding:

subject:

       user

       group

           serviceaccount

        role

 

 role、clusterrole

subject:

   resouce group

   resource

   non-resource url

 

action:get、list、watch、patch、delete、deletecollection、.........

 

角色应用:dashboard

项目:https://github.com/kubernetes/dashboard

认证代理,所有账号,所有授权都是k8s的账号和授权

一、部署

1、直接使用社区连接部署

[root@master manifests]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

secret/kubernetes-dashboard-certs created

serviceaccount/kubernetes-dashboard created

role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

deployment.apps/kubernetes-dashboard created

service/kubernetes-dashboard created

这里有坑,被墙了

 

2、下载yaml和images安装

上面的安装方式不灵

可以使用

docker search kubernetes-dashboard-amd64

docker pull siriuszg/kubernetes-dashboard-amd64

docker tag siriuszg/kubernetes-dashboard-amd64:latest k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

然后wget yaml文件

[root@master manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

修改一下

[root@master manifests]# cat kubernetes-dashboard.yaml

# Copyright 2017 The Kubernetes Authors.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

 

# ------------------- Dashboard Secret ------------------- #

 

apiVersion: v1

kind: Secret

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-certs

  namespace: kube-system

type: Opaque

 

---

# ------------------- Dashboard Service Account ------------------- #

 

apiVersion: v1

kind: ServiceAccount

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

 

---

# ------------------- Dashboard Role & Role Binding ------------------- #

 

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: kubernetes-dashboard-minimal

  namespace: kube-system

rules:

  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.

- apiGroups: [""]

  resources: ["secrets"]

  verbs: ["create"]

  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

  resources: ["configmaps"]

  verbs: ["create"]

  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.

- apiGroups: [""]

  resources: ["secrets"]

  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]

  verbs: ["get", "update", "delete"]

  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

  resources: ["configmaps"]

  resourceNames: ["kubernetes-dashboard-settings"]

  verbs: ["get", "update"]

  # Allow Dashboard to get metrics from heapster.

- apiGroups: [""]

  resources: ["services"]

  resourceNames: ["heapster"]

  verbs: ["proxy"]

- apiGroups: [""]

  resources: ["services/proxy"]

  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]

  verbs: ["get"]

 

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  name: kubernetes-dashboard-minimal

  namespace: kube-system

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: kubernetes-dashboard-minimal

subjects:

- kind: ServiceAccount

  name: kubernetes-dashboard

  namespace: kube-system

 

---

# ------------------- Dashboard Deployment ------------------- #

 

kind: Deployment

apiVersion: apps/v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

spec:

  replicas: 1

  revisionHistoryLimit: 10

  selector:

    matchLabels:

      k8s-app: kubernetes-dashboard

  template:

    metadata:

      labels:

        k8s-app: kubernetes-dashboard

    spec:

      containers:

      - name: kubernetes-dashboard

        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

        imagePullPolicy: IfNotPresent       这里是我添加的,永远使用本地

        ports:

        - containerPort: 8443

          protocol: TCP

        args:

          - --auto-generate-certificates

          # Uncomment the following line to manually specify Kubernetes API server Host

          # If not specified, Dashboard will attempt to auto discover the API server and connect

          # to it. Uncomment only if the default does not work.

          # - --apiserver-host=http://my-address:port

        volumeMounts:

        - name: kubernetes-dashboard-certs

          mountPath: /certs

          # Create on-disk volume to store exec logs

        - mountPath: /tmp

          name: tmp-volume

        livenessProbe:

          httpGet:

            scheme: HTTPS

            path: /

            port: 8443

          initialDelaySeconds: 30

          timeoutSeconds: 30

      volumes:

      - name: kubernetes-dashboard-certs

        secret:

          secretName: kubernetes-dashboard-certs

      - name: tmp-volume

        emptyDir: {}

      serviceAccountName: kubernetes-dashboard

      # Comment the following tolerations if Dashboard must not be deployed on master

      tolerations:

      - key: node-role.kubernetes.io/master

        effect: NoSchedule

 

---

# ------------------- Dashboard Service ------------------- #

 

kind: Service

apiVersion: v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

spec:

  ports:

    - port: 443

      targetPort: 8443

  selector:

k8s-app: kubernetes-dashboard

[root@master manifests]# kubectl apply -f kubernetes-dashboard.yaml

secret/kubernetes-dashboard-certs created

serviceaccount/kubernetes-dashboard created

role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

deployment.apps/kubernetes-dashboard created

service/kubernetes-dashboard created

[root@master manifests]# kubectl get pods -n kube-system

NAME                                   READY   STATUS    RESTARTS   AGE

coredns-86c58d9df4-fltl9               1/1     Running   2          24d

coredns-86c58d9df4-kdm2h               1/1     Running   2          24d

etcd-master                            1/1     Running   3          24d

kube-apiserver-master                  1/1     Running   2          24d

kube-controller-manager-master         1/1     Running   2          24d

kube-flannel-ds-amd64-bf7s9            1/1     Running   0          37m

kube-flannel-ds-amd64-vm9vw            1/1     Running   1          37m

kube-flannel-ds-amd64-xqcg9            1/1     Running   0          36m

kube-proxy-6fp6m                       1/1     Running   1          24d

kube-proxy-wv6gg                       1/1     Running   0          24d

kube-proxy-zndjb                       1/1     Running   2          24d

kube-scheduler-master                  1/1     Running   2          24d

kubernetes-dashboard-57df4db6b-cwr44   1/1     Running   0          10s   这里成功了

 

[root@master manifests]# kubectl get svc -n kube-system

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE

kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   24d

kubernetes-dashboard   ClusterIP   10.102.254.30   <none>        443/TCP         5m40s

 

这里修改为NodePort

[root@master manifests]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system

service/kubernetes-dashboard patched

或者使用 跟上面的命令一个效果

[root@master manifests]# kubectl -n kube-system edit service kubernetes-dashboard

 

[root@master manifests]# kubectl get svc -n kube-system

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE

kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   24d

kubernetes-dashboard   NodePort    10.102.254.30   <none>        443:30376/TCP   12m

查看docker容器log发现报错,

2019/03/25 13:34:00 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

2019/03/25 13:34:30 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

2019/03/25 13:34:56 http: TLS handshake error from 10.244.2.1:53815: tls: first record does not look like a TLS handshake

2019/03/25 13:35:00 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

2019/03/25 13:35:06 http: TLS handshake error from 10.244.2.1:53816: EOF

2019/03/25 13:35:30 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

2019/03/25 13:36:00 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

2019/03/25 13:36:30 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

 

wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml

wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml

wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml

wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml

 

[root@master manifests]# cat  heapster.yaml | grep image

        image: k8s.gcr.io/heapster-amd64:v1.5.4

        imagePullPolicy: IfNotPresent

[root@master manifests]# cat  grafana.yaml | grep image

        image: k8s.gcr.io/heapster-grafana-amd64:v5.0.4

[root@master manifests]# cat influxdb.yaml | grep image

        image: k8s.gcr.io/heapster-influxdb-amd64:v1.5.2

 

docker pull mirrorgooglecontainers/heapster-grafana-amd64:v5.0.4

docker pull mirrorgooglecontainers/heapster-amd64:v1.5.4

docker pull mirrorgooglecontainers/heapster-influxdb-amd64:v1.5.2

 

docker tag mirrorgooglecontainers/heapster-grafana-amd64:v5.0.4  k8s.gcr.io/heapster-grafana-amd64:v5.0.4

docker tag mirrorgooglecontainers/heapster-amd64:v1.5.4 k8s.gcr.io/heapster-amd64:v1.5.4

docker tag mirrorgooglecontainers/heapster-influxdb-amd64:v1.5.2 k8s.gcr.io/heapster-influxdb-amd64:v1.5.2

[root@master kubernetes-dashboard]# ls

grafana.yaml  heapster-rbac.yaml  heapster.yaml  influxdb.yaml

[root@master kubernetes-dashboard]# ll

total 16

-rw-r--r--. 1 root root 2276 Mar 25 09:38 grafana.yaml

-rw-r--r--. 1 root root  264 Mar 25 09:44 heapster-rbac.yaml

-rw-r--r--. 1 root root 1100 Mar 25 09:44 heapster.yaml

-rw-r--r--. 1 root root  960 Mar 25 09:44 influxdb.yaml

[root@master kubernetes-dashboard]# kubectl create -f .

deployment.extensions/monitoring-grafana created

service/monitoring-grafana created

clusterrolebinding.rbac.authorization.k8s.io/heapster created

serviceaccount/heapster created

deployment.extensions/heapster created

service/heapster created

deployment.extensions/monitoring-influxdb created

service/monitoring-influxdb created

[root@master kubernetes-dashboard]# kubectl get pods -n kube-system

NAME                                   READY   STATUS    RESTARTS   AGE

coredns-86c58d9df4-fltl9               1/1     Running   2          25d

coredns-86c58d9df4-kdm2h               1/1     Running   2          25d

etcd-master                            1/1     Running   3          25d

heapster-f64999bc-pcxgw                1/1     Running   0          6s

kube-apiserver-master                  1/1     Running   2          25d

kube-controller-manager-master         1/1     Running   2          25d

kube-flannel-ds-amd64-bf7s9            1/1     Running   0          23h

kube-flannel-ds-amd64-vm9vw            1/1     Running   1          23h

kube-flannel-ds-amd64-xqcg9            1/1     Running   0          23h

kube-proxy-6fp6m                       1/1     Running   1          25d

kube-proxy-wv6gg                       1/1     Running   0          25d

kube-proxy-zndjb                       1/1     Running   2          25d

kube-scheduler-master                  1/1     Running   2          25d

kubernetes-dashboard-57df4db6b-cr5qw   1/1     Running   0          20m

monitoring-grafana-564f579fd4-c22mj    1/1     Running   0          7s

monitoring-influxdb-8b7d57f5c-nbwhk    1/1     Running   0          7s

发现还是有问题

 

修改 yaml 文件

# heapster.yaml 文件

#### 修改如下部分 #####

因为 kubelet 启用了 https 所以如下配置需要增加 https 端口

        - --source=kubernetes:https://kubernetes.default

修改为

        - --source=kubernetes:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true

 

# heapster-rbac.yaml  文件

#### 修改为部分 #####

将 serviceAccount kube-system:heapster 与 ClusterRole system:kubelet-api-admin 绑定,授予它调用 kubelet API 的权限;

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

  name: heapster

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: system:heapster

subjects:

- kind: ServiceAccount

  name: heapster

  namespace: kube-system

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

  name: heapster-kubelet-api

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: system:kubelet-api-admin

subjects:

- kind: ServiceAccount

  name: heapster

  namespace: kube-system

 

[root@master-47-35 heapster]# kubectl create -f .

deployment.extensions/monitoring-grafana created

service/monitoring-grafana created

clusterrolebinding.rbac.authorization.k8s.io/heapster created

clusterrolebinding.rbac.authorization.k8s.io/heapster-kubelet-api created

serviceaccount/heapster created

deployment.extensions/heapster created

service/heapster created

deployment.extensions/monitoring-influxdb created

service/monitoring-influxdb created

[root@master-47-35 heapster]# kubectl logs -f heapster-7797bb6dd4-jvs6n -n kube-system

I0827 02:25:20.229353       1 heapster.go:78] /heapster --source=kubernetes:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086

I0827 02:25:20.229399       1 heapster.go:79] Heapster version v1.5.4

I0827 02:25:20.230543       1 configs.go:61] Using Kubernetes client with master "https://kubernetes.default" and version v1

I0827 02:25:20.230569       1 configs.go:62] Using kubelet port 10250

 

[root@node02 ~]# docker logs ee39c9d6530a

2019/03/25 14:01:01 Metric client health check failed: the server is currently unable to handle the request (get services heapster). Retrying in 30 seconds.

2019/03/25 14:01:31 Metric client health check failed: the server is currently unable to handle the request (get services heapster). Retrying in 30 seconds.

2019/03/25 14:02:01 Metric client health check failed: an error on the server ("[-]healthz failed: could not get the latest data batch\nhealthz check failed") has prevented the request from succeeding (get services heapster). Retrying in 30 seconds.

2019/03/25 14:02:31 Successful request to heapster

 

理论到这里输入任何node ip:30255就可以访问了

 

在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http)

3、token认证

 (1)创建dashboard专用证书

[root@master kubernetes-dashboard]# cd /etc/kubernetes/pki

[root@master pki]# ll

total 68

-rw-r--r--. 1 root root 1216 Feb 28 06:23 apiserver.crt

-rw-r--r--. 1 root root 1090 Feb 28 06:23 apiserver-etcd-client.crt

-rw-------. 1 root root 1679 Feb 28 06:23 apiserver-etcd-client.key

-rw-------. 1 root root 1675 Feb 28 06:23 apiserver.key

-rw-r--r--. 1 root root 1099 Feb 28 06:23 apiserver-kubelet-client.crt

-rw-------. 1 root root 1679 Feb 28 06:23 apiserver-kubelet-client.key

-rw-r--r--. 1 root root 1025 Feb 28 06:23 ca.crt

-rw-------. 1 root root 1675 Feb 28 06:23 ca.key

drwxr-xr-x. 2 root root  162 Feb 28 06:23 etcd

-rw-r--r--. 1 root root 1038 Feb 28 06:23 front-proxy-ca.crt

-rw-------. 1 root root 1675 Feb 28 06:23 front-proxy-ca.key

-rw-r--r--. 1 root root 1058 Feb 28 06:23 front-proxy-client.crt

-rw-------. 1 root root 1679 Feb 28 06:23 front-proxy-client.key

-rw-------. 1 root root 1675 Feb 28 06:23 sa.key

-rw-------. 1 root root  451 Feb 28 06:23 sa.pub

-rw-r--r--. 1 root root  973 Mar 19 12:07 wolf.crt

-rw-r--r--. 1 root root  883 Mar 19 12:06 wolf.csr

-rw-------. 1 root root 1679 Mar 19 12:04 wolf.key

[root@master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)

Generating RSA private key, 2048 bit long modulus

.............................................................................................................................................+++

...................................+++

e is 65537 (0x10001)

[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=magedu/CN=dashboard"

[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365

Signature ok

subject=/O=magedu/CN=dashboard

Getting CA Private Key

[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=./dashboard.crt --from-file=dashboard.key=./dashboard.key

secret/dashboard-cert created

[root@master pki]# kubectl get secret -n kube-system |grep dashboard

dashboard-cert                                   Opaque                                2      8s

kubernetes-dashboard-certs                       Opaque                                0      100m

kubernetes-dashboard-key-holder                  Opaque                                2      24h

kubernetes-dashboard-token-jdw29                 kubernetes.io/service-account-token   3      100m

[root@master pki]# kubectl create serviceaccount def-ns-admin -n default

serviceaccount/def-ns-admin created

[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin

rolebinding.rbac.authorization.k8s.io/def-ns-admin created

[root@master pki]# kubectl get secret

NAME                       TYPE                                  DATA   AGE

admin-token-68nnz          kubernetes.io/service-account-token   3      5d23h

def-ns-admin-token-m5hhd   kubernetes.io/service-account-token   3      3m41s

default-token-6q28w        kubernetes.io/service-account-token   3      25d

mysa-token-hb6lq           kubernetes.io/service-account-token   3      5d23h

mysecret                   Opaque                                2      8d

mysecret-1                 Opaque                                2      8d

mysecret2                  Opaque                                2      8d

tomcat-ingress-secret      kubernetes.io/tls                     2      11d

[root@master pki]# kubectl describe secret def-ns-admin-token-m5hhd

Name:         def-ns-admin-token-m5hhd

Namespace:    default

Labels:       <none>

Annotations:  kubernetes.io/service-account.name: def-ns-admin

              kubernetes.io/service-account.uid: 5712af5c-4f10-11e9-bca0-a0369f95b76e

 

Type:  kubernetes.io/service-account-token

 

Data

====

ca.crt:     1025 bytes

namespace:  7 bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tNWhoZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NzEyYWY1Yy00ZjEwLTExZTktYmNhMC1hMDM2OWY5NWI3NmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.Pek2gNquzGfO07MZeZcmZqGlTf3osL0R1x1qNRSPwL25mrTkyU9TLmBQ0nPKkNFmHfQFqz9thJ9BgG5ANRrZ2USYXJy4so9wjk0pPLtk3RaDh-Y6xLta4wjVeGBRJIMf2NLCgAK3JoM6CIc3OawBzjlJR8Y0R2ea_HtN_X48uxciAmzfuxpUG-QdU5Bxt3AEccSTrSTyVKxhx2fJfYFwo-zyJfkznxDfuClvF6aG-h0mztMlvVZArGzxFSjb9O-ZHoyPzymYHmjC9LP6K0KdcIhnxkMFJl-VvJt4khVXoy_6a8MCrOAyG2hk4YQtCuMgkPpG806CuW8a-56Fj8LHUg

将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:

4、kubeconfig认证 

(1)配置def-ns-admin的集群信息

[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.249.6.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf

Cluster "kubernetes" set.

  1. 使用token写入集群验证

kubectl config set-credentials -h  #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken

 

Usage:

  kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]

[--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]

[--auth-provider-arg=key=value] [options]

[root@master pki]# kubectl describe secret def-ns-admin-token-m5hhd

Name:         def-ns-admin-token-m5hhd

Namespace:    default

Labels:       <none>

Annotations:  kubernetes.io/service-account.name: def-ns-admin

              kubernetes.io/service-account.uid: 5712af5c-4f10-11e9-bca0-a0369f95b76e

 

Type:  kubernetes.io/service-account-token

 

Data

====

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tNWhoZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NzEyYWY1Yy00ZjEwLTExZTktYmNhMC1hMDM2OWY5NWI3NmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.Pek2gNquzGfO07MZeZcmZqGlTf3osL0R1x1qNRSPwL25mrTkyU9TLmBQ0nPKkNFmHfQFqz9thJ9BgG5ANRrZ2USYXJy4so9wjk0pPLtk3RaDh-Y6xLta4wjVeGBRJIMf2NLCgAK3JoM6CIc3OawBzjlJR8Y0R2ea_HtN_X48uxciAmzfuxpUG-QdU5Bxt3AEccSTrSTyVKxhx2fJfYFwo-zyJfkznxDfuClvF6aG-h0mztMlvVZArGzxFSjb9O-ZHoyPzymYHmjC9LP6K0KdcIhnxkMFJl-VvJt4khVXoy_6a8MCrOAyG2hk4YQtCuMgkPpG806CuW8a-56Fj8LHUg

ca.crt:     1025 bytes

namespace:  7 bytes

 

这里的token是base64编码,此处需要进行解码操作

[root@master pki]# kubectl get secret def-ns-admin-token-m5hhd -o jsonpath={.data.token} |base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tNWhoZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NzEyYWY1Yy00ZjEwLTExZTktYmNhMC1hMDM2OWY5NWI3NmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.Pek2gNquzGfO07MZeZcmZqGlTf3osL0R1x1qNRSPwL25mrTkyU9TLmBQ0nPKkNFmHfQFqz9thJ9BgG5ANRrZ2USYXJy4so9wjk0pPLtk3RaDh-Y6xLta4wjVeGBRJIMf2NLCgAK3JoM6CIc3OawBzjlJR8Y0R2ea_HtN_X48uxciAmzfuxpUG-QdU5Bxt3AEccSTrSTyVKxhx2fJfYFwo-zyJfkznxDfuClvF6aG-h0mztMlvVZArGzxFSjb9O-ZHoyPzymYHmjC9LP6K0KdcIhnxkMFJl-VvJt4khVXoy_6a8MCrOAyG2hk4YQtCuMgkPpG806CuW8a-56Fj8LHUg[root@master pki]#

配置token信息

[root@master pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tNWhoZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NzEyYWY1Yy00ZjEwLTExZTktYmNhMC1hMDM2OWY5NWI3NmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.Pek2gNquzGfO07MZeZcmZqGlTf3osL0R1x1qNRSPwL25mrTkyU9TLmBQ0nPKkNFmHfQFqz9thJ9BgG5ANRrZ2USYXJy4so9wjk0pPLtk3RaDh-Y6xLta4wjVeGBRJIMf2NLCgAK3JoM6CIc3OawBzjlJR8Y0R2ea_HtN_X48uxciAmzfuxpUG-QdU5Bxt3AEccSTrSTyVKxhx2fJfYFwo-zyJfkznxDfuClvF6aG-h0mztMlvVZArGzxFSjb9O-ZHoyPzymYHmjC9LP6K0KdcIhnxkMFJl-VvJt4khVXoy_6a8MCrOAyG2hk4YQtCuMgkPpG806CuW8a-56Fj8LHU --kubeconfig=/root/def-ns-admin.conf

User "def-ns-admin" set.

[root@master pki]#

  1. 配置上下文和当前上下文

[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.con

Context "def-ns-admin@kubernetes" created.

[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

Switched to context "def-ns-admin@kubernetes".

[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf

apiVersion: v1

clusters:

- cluster:

    certificate-authority-data: DATA+OMITTED

    server: https://10.249.6.100:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes

    user: def-ns-admin

  name: def-ns-admin@kubernetes

current-context: def-ns-admin@kubernetes

kind: Config

preferences: {}

users:

- name: def-ns-admin

  user:

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tNWhoZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NzEyYWY1Yy00ZjEwLTExZTktYmNhMC1hMDM2OWY5NWI3NmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.Pek2gNquzGfO07MZeZcmZqGlTf3osL0R1x1qNRSPwL25mrTkyU9TLmBQ0nPKkNFmHfQFqz9thJ9BgG5ANRrZ2USYXJy4so9wjk0pPLtk3RaDh-Y6xLta4wjVeGBRJIMf2NLCgAK3JoM6CIc3OawBzjlJR8Y0R2ea_HtN_X48uxciAmzfuxpUG-QdU5Bxt3AEccSTrSTyVKxhx2fJfYFwo-zyJfkznxDfuClvF6aG-h0mztMlvVZArGzxFSjb9O-ZHoyPzymYHmjC9LP6K0KdcIhnxkMFJl-VvJt4khVXoy_6a8MCrOAyG2hk4YQtCuMgkPpG806CuW8a-56Fj8LHU

 

二、总结

1、部署dashboard:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2、将Service改为Node Port方式进行访问:

kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system

3、访问认证:

认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
token:

  • (1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
  • (2)获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
  • (3)复制token到认证页面即可登录

kubeconfig:把ServiceAccount的token封装为kubeconfig文件

  • (1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
  • (2)kubectl get secret |awk '/^ServiceAccount/{print $1}'
  • KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
  • (3)生成kubeconfig文件

kubectl config set-cluster

kubectl config set-credentials NAME --token=$KUBE_TOKEN

kubectl config set-context

kubectl config use-context

 

 

 

评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值