1.创建名字为“Dashboard-viewonly“的Cluster Role,各种资源只给予了list,get,watch的权限。dashboard-viewonly.yaml
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dashboard-viewonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - nodes - persistentvolumeclaims - persistentvolumes verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - roles - rolebindings verbs: - get - list - watch
2.创建名字为vss-read的service account,并且绑定这个sa到dashboard-viewonly这个clusterRole。vss-read.yaml
--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: vss-read labels: k8s-app: vss-read roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dashboard-viewonly subjects: - kind: ServiceAccount name: vss-read namespace: kube-system
3. 查看现有dashboard的配置
$ kubectl get pods -n kube-system |grep dashboard kubernetes-dashboard-6c664cf6c5-gfckr 1/1 Running 1 20d $ kubectl describe svc kubernetes-dashboard -n kube-system Name: kubernetes-dashboard Namespace: kube-system Labels: k8s-app=kubernetes-dashboard Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":... Selector: k8s-app=kubernetes-dashboard Type: ClusterIP IP: 100.71.200.102 Port: <unset> 443/TCP TargetPort: 8443/TCP Endpoints: 100.98.177.79:8443 Session Affinity: None Events: <none>$ kubectl get service -n kube-system -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR cluster-autoscaler-2018-11-16-aws-cluster-autoscaler ClusterIP 100.68.131.0 <none> 8085/TCP 47d app=aws-cluster-autoscaler,release=cluster-autoscaler-2018-11-16 kube-dns ClusterIP 100.64.0.10 <none> 53/UDP,53/TCP 227d k8s-app=kube-dns kube-state-metrics ClusterIP 100.70.246.130 <none> 8080/TCP 181d app=kube-state-metrics,release=kube-state-metrics kubernetes-dashboard ClusterIP 100.71.200.102 <none> 443/TCP 112d k8s-app=kubernetes-dashboard metrics-server ClusterIP 100.67.89.201 <none> 443/TCP 167d k8s-app=metrics-server tiller-deploy ClusterIP 100.65.225.136 <none> 44134/TCP 227d app=helm,name=tiller $ kubectl get service -n kube-system -o wide |grep dashboard kubernetes-dashboard ClusterIP 100.71.200.102 <none> 443/TCP 112d k8s-app=kubernetes-dashboard
4.应用这两个yaml文件到K8S集群环境中
$ kubectl apply -f dashboard-viewonly.yaml
$ kubectl apply -f vss-read.yaml
5.查看vss-read用户的token全名
$ kubectl describe serviceaccount vss-read -n kube-system Name: vss-read Namespace: kube-system Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"vss-read","namespace":"kube-system"}} Image pull secrets: <none> Mountable secrets: vss-read-token-zs89w Tokens: vss-read-token-zs89w Events: <none>
6.查看token值
$ kubectl describe secret vss-read-token-zs89w -n kube-system Name: vss-read-token-zs89w Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name=vss-read kubernetes.io/service-account.uid=f7b82f23-0e83-11e9-8b41-02351c31ffae Type: kubernetes.io/service-account-token Data ==== ca.crt: 1042 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2c3MtcmVhZC10b2tlbi16czg5dyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2c3MtcmVhZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3YjgyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNt3KDsgaaaaaaaaaaaaaaaaaaaa
7.通过这个token值来登录K8S,dashboard
参考:
https://www.cnblogs.com/fengzhihai/p/9851470.html
https://www.cnblogs.com/linuxk/p/9783510.html