zoukankan      html  css  js  c++  java
  • k8s系列--- dashboard认证及分级授权

    http://blog.itpub.net/28916011/viewspace-2215214/

    因版本不一样,略有改动

     Dashboard官方地址: https://github.com/kubernetes/dashboard

    dashbord是作为一个pod来运行,需要serviceaccount账号来登录。

    先给dashboad创建一个专用的认证信息。

    先建立私钥

    [root@master ~]# cd /etc/kubernetes/pki/
    [root@master pki]# (umask 077; openssl genrsa -out dashboard.key 2048)
    Generating RSA private key, 2048 bit long modulus
    .............................................................................................................................+++
    .................................+++
    

      

     建立一个证书签署请求:

    [root@master pki]# openssl req -new -key dashboard.key  -out dashboard.csr -subj "/O=zhixin/CN=dashboard"
    

     

    下面开始签署证书:

     [root@master pki]# openssl  x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out dashboard.crt -days 365
    Signature ok
    subject=/O=zhixin/CN=dashboard
    Getting CA Private Key
    

      

    把上面生成的私钥和证书创建成secret

    [root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key 
    secret/dashboard-cert created
    [root@master pki]# kubectl get secret -n kube-system |grep dashboard
    dashboard-cert                                   Opaque                                2         5m
    

      

    创建一个serviceaccount,因为dashborad需要serviceaccount(pod之间登录验证的用户)验证登录。

    [root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-system
    serviceaccount/dashboard-admin created
    

      

    [root@master pki]# kubectl get sa -n kube-system |grep admin
    dashboard-admin                      1         23s
    

      

    下面通过clusterrolebinding把dashboard-admin加入到clusterrole里面。

    [root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
    clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
    

      

          这样serviceaccount 用户dashboard-admin就拥有了管理所有集群的权限。 

    [root@master pki]# kubectl get secret -n kube-system |grep dashboard
    dashboard-admin-token-hfxg9                      kubernetes.io/service-account-token   3         7m
    

      

    [root@master pki]# kubectl describe secret dashboard-admin-token-hfxg9 -n kube-system
    token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbJdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-aIn6LL4aekUwBqbwOLQ
    

      

      上面的token就是serviceaccount用户dashboad-admin的认证令牌。

      下面开始部署dashboard

    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
    //具体链接还得去git上去参考官方给的提示https://github.com/kubernetes/dashboard
    //因我这里一直访问不到gcr,之前通过阿里的代理去获取镜像,不知道这次怎么不行了。
    //所以单独把上面的yaml下载下来,然后改了image地址
    

      

    修改了Dashboard Deployment下面的image来源

    [root@master dashboard]# cat kubernetes-dashboard.yaml 
    # Copyright 2017 The Kubernetes Authors.
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    #
    #     http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    
    # ------------------- Dashboard Secret ------------------- #
    
    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard-certs
      namespace: kube-system
    type: Opaque
    
    ---
    # ------------------- Dashboard Service Account ------------------- #
    
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    
    ---
    # ------------------- Dashboard Role & Role Binding ------------------- #
    
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: kubernetes-dashboard-minimal
      namespace: kube-system
    rules:
      # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["create"]
      # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["create"]
      # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
    - apiGroups: [""]
      resources: ["secrets"]
      resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
      verbs: ["get", "update", "delete"]
      # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
    - apiGroups: [""]
      resources: ["configmaps"]
      resourceNames: ["kubernetes-dashboard-settings"]
      verbs: ["get", "update"]
      # Allow Dashboard to get metrics from heapster.
    - apiGroups: [""]
      resources: ["services"]
      resourceNames: ["heapster"]
      verbs: ["proxy"]
    - apiGroups: [""]
      resources: ["services/proxy"]
      resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
      verbs: ["get"]
    
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: kubernetes-dashboard-minimal
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: kubernetes-dashboard-minimal
    subjects:
    - kind: ServiceAccount
      name: kubernetes-dashboard
      namespace: kube-system
    
    ---
    # ------------------- Dashboard Deployment ------------------- #
    
    kind: Deployment
    apiVersion: apps/v1
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    spec:
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          k8s-app: kubernetes-dashboard
      template:
        metadata:
          labels:
            k8s-app: kubernetes-dashboard
        spec:
          containers:
          - name: kubernetes-dashboard
            image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
            imagePullPolicy: IfNotPresent
            ports:
            - containerPort: 8443
              protocol: TCP
            args:
              - --auto-generate-certificates
              # Uncomment the following line to manually specify Kubernetes API server Host
              # If not specified, Dashboard will attempt to auto discover the API server and connect
              # to it. Uncomment only if the default does not work.
              # - --apiserver-host=http://my-address:port
            volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
            livenessProbe:
              httpGet:
                scheme: HTTPS
                path: /
                port: 8443
              initialDelaySeconds: 30
              timeoutSeconds: 30
          volumes:
          - name: kubernetes-dashboard-certs
            secret:
              secretName: kubernetes-dashboard-certs
          - name: tmp-volume
            emptyDir: {}
          serviceAccountName: kubernetes-dashboard
          # Comment the following tolerations if Dashboard must not be deployed on master
          tolerations:
          - key: node-role.kubernetes.io/master
            effect: NoSchedule
    
    ---
    # ------------------- Dashboard Service ------------------- #
    
    kind: Service
    apiVersion: v1
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    spec:
      ports:
        - port: 443
          targetPort: 8443
      selector:
        k8s-app: kubernetes-dashboard
    修改的yaml文件

    修改完成之后才apply的

    [root@master dashboard]# kubectl apply -f kubernetes-dashboard.yaml 
    

     

    [root@master ~]# kubectl get pods -n kube-system
    NAME                                   READY     STATUS    RESTARTS   AGE
    kubernetes-dashboard-767dc7d4d-4mq9z   1/1       Running   2          2h
    

      

    [root@master ~]# kubectl get svc -n kube-system
    NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
    kube-dns               ClusterIP   10.96.0.10    <none>        53/UDP,53/TCP   21d
    kubernetes-dashboard   ClusterIP   10.104.8.78   <none>        443/TCP         45m
    

      

    [root@master ~]# kubectl  patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
    service/kubernetes-dashboard patched
    

      

    [root@master ~]# kubectl get svc -n kube-system
    NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
    kube-dns               ClusterIP   10.96.0.10    <none>        53/UDP,53/TCP   21d
    kubernetes-dashboard   NodePort    10.104.8.78   <none>        443:31647/TCP   47m
    

      

     这样我们就可以在集群外部使用31647端口访问dashboard了,ip就使用node master宿主机的ip。 

     用浏览器打开: https://172..16.1.100:31647,并把上面得到的token粘贴到令牌里面进行登录:

     注意,要用火狐浏览器打开,其他浏览器打不开的,是https的    。。。注意注意!!!    

    如果想解决chrome登陆https的方式,参考如下配置:

    这个问题很困扰使用者,那么我们就来看看如何通过谷歌浏览器打开自己部署的kubernetes UI界面
    
    mkdir key && cd key
    #生成证书
    openssl genrsa -out dashboard.key 2048 
    openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'
    openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt 
    #删除原有的证书secret
    kubectl delete secret kubernetes-dashboard-certs -n kube-system
    #创建新的证书secret
    kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system
    #查看pod
    kubectl get pod -n kube-system
    #重启pod
    kubectl delete pod <pod name> -n kube-system

     

        

        上面认证的方法,这个用户能看到所有集群的所有东西,是个超级管理员。下面我们再设置个用户,限定它只能访问default名称空间。

    [root@master ~]# kubectl create serviceaccount def-ns-admin -n default
    serviceaccount/def-ns-admin created
    

      

    [root@master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
    rolebinding.rbac.authorization.k8s.io/def-ns-admin created
    

      

    [root@master ~]# kubectl get secret
    NAME                       TYPE                                  DATA      AGE
    admin-token-6jpc5          kubernetes.io/service-account-token   3         1d
    def-ns-admin-token-646gx   kubernetes.io/service-account-token   3         2m
    

      

    [root@master ~]# kubectl describe secret def-ns-admin-token-646gx
    token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
    

      

     把上面的token登录到web页面的令牌,登录进去后只能看default名称空间的内容。 

        

        下面我们再用Kubeconf的方法来验证登录试试。

    [root@master pki]# cd /etc/kubernetes/pki
    

      

    [root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://172.16.1.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
    Cluster "kubernetes" set.
    

      

    [root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: REDACTED
        server: https://172.16.1.100:6443
      name: kubernetes
    contexts: []
    current-context: ""
    kind: Config
    preferences: {}
    users: []
    

      

    [root@master pki]# kubectl get secret
    NAME                       TYPE                                  DATA      AGE
    admin-token-6jpc5          kubernetes.io/service-account-token   3         1d
    def-ns-admin-token-646gx   kubernetes.io/service-account-token   3         33m
    

      

    [root@master pki]# kubectl get secret  def-ns-admin-token-646gx  -o json
     "token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRqTHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh4Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="
    

      

    [root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret  def-ns-admin-token-646gx  -o jsonpath={.data.token}|base64 -d)
    

      

    [root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf 
    User "def-ns-admin" set.
    

      

    [root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf 
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: REDACTED
        server: https://172.16.1.100:6443
      name: kubernetes
    contexts: []
    current-context: ""
    kind: Config
    preferences: {}
    users:
    - name: def-ns-admin
    

      

    [root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 
    Context "def-ns-admin@kubernetes" created.
    

      

    [root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf 
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: REDACTED
        server: https://172.16.1.100:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: def-ns-admin
      name: def-ns-admin@kubernetes
    current-context: ""
    kind: Config
    preferences: {}
    users:
    - name: def-ns-admin
      user:
        token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
    

      

    [root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf 
    Switched to context "def-ns-admin@kubernetes".
    

      

    [root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: REDACTED
        server: https://172.16.1.100:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: def-ns-admin
      name: def-ns-admin@kubernetes
    current-context: def-ns-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: def-ns-admin
      user:
        token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
    

      

       这时候/root/def-ns-admin.conf文件就可以用在dashboard中,把这个文件拉下来。用它进行登录了。

    总结

         1、部署: 

    kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
    

      

       2、将service改为NodePort: 

     kubectl  patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
    

      

     3、认证: 

            认证时的账户必须为ServiceAccount:作用是被dashboard pod拿来由kubernetes进行认证。 

            第一种:token方式认证: 

                a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole; 

                b)获取到此serviceAccount的secret,查看secret的详细信息,其中就有token,粘贴到web界面的令牌里面 

            第二种: kubeconfig方式认证: 把serviceaccount的token封装为kubeconfig文件。 

                a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

                b)

            kubect get secret | awk '/^ServiceAccountName/{print $1}'

           KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret  SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)

                c) 生成kubeconfig文件 

                kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE 

                kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE

                kubctl config set-context 

                kubectl config use-context 

    kubernetes集群的管理方式

        1、命令式:create,run,expose,delete,edit.... 

        2、命令式配置文件:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f  

        3、声明式配置文件:apply -f,patch, 

        一般建议不要混合使用上面三种方式。建议使用apply和patch这样的命令。 

  • 相关阅读:
    面试题63 二叉搜索树的第k个结点
    面试题62 序列化二叉树
    面试题61 把二叉树打印成多行
    面试题60 按之字形顺序打印二叉树
    centos下Nginx代理访问web服务
    回文数
    两数之和--哈希表unordered_map
    删除链表的倒数第N个节点---链表的应用
    基础篇,排序(冒泡排序,快速排序)
    linuxC网络聊天室简单代码,CSDN博客迁移
  • 原文地址:https://www.cnblogs.com/dribs/p/10314990.html
Copyright © 2011-2022 走看看