Kubernetes之(十六)Dashboard认证访问
Dashboard:https://github.com/kubernetes/dashboard
Dashboard部署
下载yaml文件
[root@master manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
查看yaml
deployment的image需要从k8s.gcr.io仓库下载,国内无法拉取成功。两种方法:
- 提前在node节点拉取镜像kubernetes-dashboard-amd64:v1.10.1, 然后docker tag修改标签。
- 直接把yaml文件内的image修改为可用的仓库,
[root@master manifests]# vim kubernetes-dashboard.yaml
......
#image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我自己的dockerhub仓库
......
其中 yaml文件种的service配置没有指定type,此时我们需要指定为NodePort才能使用外部访问
......
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
type: NodePort
......
执行
[root@master manifests]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@master manifests]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78d4cf999f-6cb69 1/1 Running 0 11d
coredns-78d4cf999f-tflpn 1/1 Running 0 11d
etcd-master 1/1 Running 0 11d
kube-apiserver-master 1/1 Running 0 11d
kube-controller-manager-master 1/1 Running 0 11d
kube-flannel-ds-amd64-gtv85 1/1 Running 0 11d
kube-flannel-ds-amd64-gwbql 1/1 Running 1 11d
kube-flannel-ds-amd64-ml7nf 1/1 Running 0 11d
kube-proxy-ch4vp 1/1 Running 0 11d
kube-proxy-cz2rf 1/1 Running 1 11d
kube-proxy-kdp7d 1/1 Running 0 11d
kube-scheduler-master 1/1 Running 0 11d
kubernetes-dashboard-6f9998798-klf4t 1/1 Running 0 2m46s
[root@master manifests]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 11d
kubernetes-dashboard NodePort 10.104.230.45 <none> 443:30650/TCP 43s
浏览器访问 https://10.0.0.10:30650 ,注意这里的https证书是不安全的,谷歌浏览器会禁止访问,此时建议使用火狐,并且需要在高级选项中认证。
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http):
token认证
- 创建dashboard专用证书
[root@master manifests]# cd /etc/kubernetes/pki/
[root@master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................+++
.......+++
e is 65537 (0x10001)
- 证书签署请求
[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #如果以后需要域名访问 /CN需要和域名一致
- 签署证书
[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
Signature ok
subject=/O=white/CN=dasnboard
Getting CA Private Key
- 定义令牌方式仅能访问default名称空间
[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key
secret/dashboard-cert created
[root@master pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-cert Opaque 2 25s
kubernetes-dashboard-certs Opaque 0 101m
kubernetes-dashboard-key-holder Opaque 2 100m
kubernetes-dashboard-token-4pln6 kubernetes.io/service-account-token 3 101m
#创建serviceaccount
[root@master pki]# kubectl create serviceaccount def-ns-admin -n default
serviceaccount/def-ns-admin created
#service account账户绑定到集群角色admin
[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created
[root@master pki]# kubectl get secret
NAME TYPE DATA AGE
admin-token-sswgb kubernetes.io/service-account-token 3 4d1h
def-ns-admin-token-p5nxf kubernetes.io/service-account-token 3 74s
default-token-dqd2f kubernetes.io/service-account-token 3 11d
mysql-root-password Opaque 1 5d
tomcat-ingress-secret kubernetes.io/tls 2 6d5h
[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name: def-ns-admin-token-p5nxf
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:
kube-config认证
- 配置def-ns-admin的集群信息
[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.
- 使用token写入集群验证
[root@master pki]# kubectl config set-credentials -h #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken
[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name: def-ns-admin-token-p5nxf
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
#此处token是base64编码,此处需要进行解码操作
[root@master pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
#配置token信息
[root@master pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set.
- 配置上下文和当前上下文
[root@master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
Context "def-ns-admin@kubernetes" created.
[root@master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
将/root/def-ns-admin.conf文件发送到宿主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问,如图:
总结
- 部署dashboard的时候,官方的yaml文件内Deployment的image文件需要换成国内的源,(xiaobai20201 个人仓库)
- 官方的yaml文件内Service内spec.type要修改为NodePort。
- 认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
-
token:
- 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
- 获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
- 复制token到认证页面即可登录。
-
kubeconfig:把ServiceAccount的token封装为kubeconfig文件
- 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
- kubectl get secret |awk '/^ServiceAccount/{print $1}' KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
- 生成kubeconfig文件
kubectl config set-cluster
kubectl config set-credentials NAME --token=$KUBE_TOKEN
kubectl config set-context
kubectl config use-context
参考资料
https://www.cnblogs.com/linuxk
马永亮. Kubernetes进阶实战 (云计算与虚拟化技术丛书)
Kubernetes-handbook-jimmysong-20181218