Dashboard:https://github.com/kubernetes/dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
安裝存在幾個問題:
- 鏡像國內無法直接訪問
- dashboard的默認webui證書是自動生成的,由於時間和名稱存在問題,導致谷歌和ie瀏覽器無法打開登錄界面,經過測試Firefox可以正常打開
- 應用的權限太小,默認登錄進去界面顯示權限問題
一:解決鏡像問題
#拉取鏡像
docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
#重新打標簽
docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
#刪除無用鏡像
docker rmi mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
[root@k8s-master ~]# kubectl get pods -n kube-system |egrep dashboard
kubernetes-dashboard-767dc7d4d-n4clq 1/1 Running 0 3s
二:解決證書問題
如果用火狐瀏覽可以用默認生成的
kubectl get secret -n kube-system |egrep certs
kubernetes-dashboard-certs Opaque 2 4m35s
我們用openssl自定義一個證書
cd /etc/kubernetes/pki/
[root@k8s-master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
[root@k8s-master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=magedu/CN=dashboard"
[root@k8s-master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
或者是直接刪除 kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs -n kube-system --from-file=./dashboard.crt --from-file=dashboard.key=./dashboard.key
可以看到自己定義的數據在DATA里面
kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml
需要發布成節點訪問,或者kubectl proxy
這里修改service 為nodeport類型
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
[root@wan129 pki]# kubectl get svc -n kube-system |egrep dashboard
kubernetes-dashboard NodePort 10.96.47.28 <none> 443:30410/TCP 11m
通過瀏覽器訪問就可以登錄界面了,可以在客戶端瀏覽器增加信任
三:解決權限問題
接下來我們通過token (令牌來驗證)來登錄界面
默認定義的sa ,綁定的權限比較小
# ------------------- Dashboard Service Account ------------------- # apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system ---
[root@k8s-master ~]# kubectl get sa -n kube-system
修改SA 為集群管理權限,權限相關的問題關注上一篇
在修改之前需要刪除之前的sa
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
兩種方式:
第一種方式:
源文件
修改后的文件
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
kubectl apply -f kubernetes-dashboard.yaml
第二種方式
kubectl delete clusterrolebinding dashboard-cluster-admin
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
當然也可以用yaml 定義
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
[root@k8s-master ~]# kubectl get clusterrolebinding |egrep dashboard
這樣可以通過SA 來獲取token
[root@k8s-master ~]# kubectl get secret -n kube-system |egrep dashboard-token
kubernetes-dashboard-token-sfvzz kubernetes.io/service-account-token 3 4m5s
[root@k8s-master ~]# kubectl describe secret/kubernetes-dashboard-token-sfvzz -n kube-system|egrep token
然后復制拷貝到令牌認證里面,成功后的界面
最簡單的是創建一個SA,給綁定集群管理的權限,然后獲取這個token當令牌,然后登陸即可
kubectl create serviceaccount def-cls-admin -n kube-system
kubectl create clusterrolebinding def-cls-admin --clusterrole=cluster-admin --serviceaccount=kube-system:def-cls-admin
kubectl get secret -n kube-system|egrep def-cls-admin
kubectl describe secret/def-cls-admin-token-xgb4x -n kube-system|egrep token:
限制只能在默認名稱空間里面
定義一個只能訪問默認名稱空間的sa, 綁定到集群角色admin
kubectl create serviceaccount def-ns-admin
kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
kubectl describe secret def-ns-admin-token-lqvv8
kubectl get secret|egrep def-ns-admin
def-ns-admin-token-lqvv8 kubernetes.io/service-account-token 3 2m
kubectl describe secret def-ns-admin-token-lqvv8 |egrep token:
拷貝進去令牌認證,只能對default名稱空間有作用,因為是rolebinding
Kubeconfig 登陸:
下面通過kubconfig conf命令,補全所需要的信息:
參考kubeconfig config view
1.集群信息補全:
#kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.211.55.11:6443" \
--embed-certs=true --kubeconfig=/root/def-ns-admin.conf
可以簡單一點
kubectl config set-cluster kubernetes --server="https://10.211.55.11:6443" --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.
kubectl config view --kubeconfig=/root/def-ns-admin.conf
2.集群認證信息補全:
kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]
[--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]
[--auth-provider-arg=key=value] [options]
認證方式可以通過證書文件,也可以通過token,這里通過tonken方式來認證
kubectl describe secret def-ns-admin-token-lqvv8 |egrep token: #這個直接base64 會有問題,需要轉成json
DEFAULT_TOKEN=$(kubectl get secret def-ns-admin-token-lqvv8 -o jsonpath={.data.token} |base64 -d)
kubectl config set-credentials def-ns-admin --token=$DEFAULT_TOKEN --kubeconfig=/root/def-ns-admin.conf
3.配置上下文
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
4.當前上下文
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
kubectl get pods 驗證一下
kubectl config view --kubeconfig=/root/def-ns-admin.conf
下載這個文件到客戶端就可以實現登錄頁面了
總結:
認證時的賬號必須為serviceaccount:被dashboard POD 拿來由K8S 進行認證
token:
1.創建sa,根據其管理目標,使用rolebinding 或者clusterrolebinding綁定到合同的role 或者clusterrole
2.獲取sa的secret,查看secret的詳細信息,其中就有token;
kubeconfig: 把sa的token 封裝為kubeconfig文件
1.創建sa,根據其管理目標,使用rolebinding 或者clusterrolebinding綁定到合同的role 或者clusterrole
2.kubectl get secret |awk '/^ServiceAccount/{print $1}'
KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SERRET_NAME -o jsonpath={.data.token})|bash64 -d)
3.生成kubeconfig文件
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
kubect config set-credentials NAME --token= $DEFAULT_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
kubect config set -context
kubect config use -context
參考文章:
https://github.com/kubernetes/dashboard/wiki/Creating-sample-user
https://blog.csdn.net/java_zyq/article/details/82178152
生產環境中的配置
server {
server_name k8s.doudou.net;
rewrite ^(.*)$ https://k8s.doudou.net$1 permanent;
}
server {
listen 443 ssl;
server_name k8s.doudou.net;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
proxy_ssl_trusted_certificate /etc/ssl/kubernetes/ca.pem;
proxy_ssl_certificate /etc/ssl/kubernetes/admin.pem;
proxy_ssl_certificate_key /etc/ssl/kubernetes/admin-key.pem;
proxy_ssl_session_reuse on;
proxy_pass https://192.168.8.99/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/;
}
}
kubectl cluster info
~
~