Dashboard官方地址:https://GitHub.com/kubernetes/dashboard dashbord是作为一个pod来运行,需要servic
Dashboard官方地址:https://GitHub.com/kubernetes/dashboard
dashbord是作为一个pod来运行,需要serviceaccount账号来登录。
先给dashboad创建一个专用的认证信息。
先建立私钥:
[root@master ~]# cd /etc/kubernetes/pki/[root@master pki]# (umask 077; openssl genrsa -out dashboard.key 2048)Generating RSA private key, 2048 bit long modulus.............................................................................................................................+++.................................+++建立一个证书签署请求:
[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=zhixin/CN=dashboard"下面开始签署证书:
[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365Signature oksubject=/O=zhixin/CN=dashboardGetting CA Private Key把上面生成的私钥和证书创建成secret
[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key secret/dashboard-cert created[root@master pki]# kubectl get secret -n kube-system |grep dashboarddashboard-cert Opaque 2 5m创建一个serviceaccount,因为dashborad需要serviceaccount(pod之间登录验证的用户)验证登录。
[root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-systemserviceaccount/dashboard-admin created[root@master pki]# kubectl get sa -n kube-system |grep admindashboard-admin 1 23s下面通过clusterrolebinding把dashboard-admin加入到clusterrole里面。
[root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-adminclusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created 这样serviceaccount 用户dashboard-admin就拥有了管理所有集群的权限。
[root@master pki]# kubectl get secret -n kube-system |grep dashboarddashboard-admin-token-hfxg9 kubernetes.io/service-account-token 3 7m[root@master pki]# kubectl describe secret dashboard-admin-token-hfxg9 -n kube-systemtoken: eyJhbGCiOijsUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcMQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbjdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-ain6LL4aekUwBqbwOLQ上面的token就是serviceaccount用户dashboad-admin的认证令牌。
下面开始部署dashboard
[root@master pki]# kubectl apply -f Https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml[root@master ~]# kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGEkubernetes-dashboard-767dc7d4d-4mq9z 1/1 Running 2 2h[root@master ~]# kubectl get svc -n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/tcp 21dkubernetes-dashboard ClusterIP 10.104.8.78 <none> 443/TCP 45m[root@master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"nodePort"}}' -n kube-systemservice/kubernetes-dashboard patched[root@master ~]# kubectl get svc -n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21dkubernetes-dashboard NodePort 10.104.8.78 <none> 443:31647/TCP 47m 这样我们就可以在集群外部使用31647端口访问dashboard了,ip就使用node master宿主机的ip。
用浏览器打开:https://172..16.1.100:31647,并把上面得到的token粘贴到令牌里面进行登录:
注意,要用火狐浏览器打开,其他浏览器打不开的,注意注意!!!
上面认证的方法,这个用户能看到所有集群的所有东西,是个超级管理员。下面我们再设置个用户,限定它只能访问default名称空间。
[root@master ~]# kubectl create serviceaccount def-ns-admin -n defaultserviceaccount/def-ns-admin created[root@master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-adminrolebinding.rbac.authorization.k8s.io/def-ns-admin created[root@master ~]# kubectl get secretNAME TYPE DATA AGEadmin-token-6jpc5 kubernetes.io/service-account-token 3 1ddef-ns-admin-token-646gx kubernetes.io/service-account-token 3 2m[root@master ~]# kubectl describe secret def-ns-admin-token-646gxtoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA 把上面的token登录到WEB页面的令牌,登录进去后只能看default名称空间的内容。
下面我们再用Kubeconf的方法来验证登录试试。
[root@master pki]# cd /etc/kubernetes/pki[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://172.16.1.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.confCluster "kubernetes" set.[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://172.16.1.100:6443 name: kubernetescontexts: []current-context: ""kind: Configpreferences: {}users: [][root@master pki]# kubectl get secretNAME TYPE DATA AGEadmin-token-6jpc5 kubernetes.io/service-account-token 3 1ddef-ns-admin-token-646gx kubernetes.io/service-account-token 3 33m[root@master pki]# kubectl get secret def-ns-admin-token-646gx -o JSON "token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh3YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRQtHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh5Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-646gx -o jsonpath={.data.token}|base64 -d)[root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf User "def-ns-admin" set.[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://172.16.1.100:6443 name: kubernetescontexts: []current-context: ""kind: Configpreferences: {}users:- name: def-ns-admin[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf Context "def-ns-admin@kubernetes" created.[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://172.16.1.100:6443 name: kubernetescontexts:- context: cluster: kubernetes user: def-ns-admin name: def-ns-admin@kubernetescurrent-context: ""kind: Configpreferences: {}users:- name: def-ns-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf Switched to context "def-ns-admin@kubernetes".[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://172.16.1.100:6443 name: kubernetescontexts:- context: cluster: kubernetes user: def-ns-admin name: def-ns-admin@kubernetescurrent-context: def-ns-admin@kuberneteskind: Configpreferences: {}users:- name: def-ns-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA这时候/root/def-ns-admin.conf文件就可以用在dashboard中,用它进行登录了。
1、部署:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml 2、将service改为NodePort:
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system 3、认证:
认证时的账户必须为ServiceAccount:作用是被dashboard pod拿来由kubernetes进行认证。
第一种:token方式认证:
a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;
b)获取到此serviceAccount的secret,查看secret的详细信息,其中就有token,粘贴到web界面的令牌里面
第二种: kubeconfig方式认证:把serviceaccount的token封装为kubeconfig文件。
a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;
b)
kubect get secret | awk '/^ServiceAccountName/{print $1}'
KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)
c) 生成kubeconfig文件
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
kubctl config set-context
kubectl config use-context
1、命令式:create,run,expose,delete,edit....
2、命令式配置文件:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f
3、声明式配置文件:apply -f,patch,
一般建议不要混合使用上面三种方式。建议使用apply和patch这样的命令。
--结束END--
本文标题: docker笔记30-k8s dashboard认证及分级授权
本文链接: https://lsjlt.com/news/238318.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
2024-05-24
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
官方手机版
微信公众号
商务合作
0