文章
文章用户文档快讯圈子网址导航

Kubernetes之(十六)Dashboard认证访问

释放双眼,带上耳机,听听看~!

目录

  • Kubernetes之(十六)Dashboard认证访问

  • Dashboard部署

    • token认证

    • kube-config认证

    • 总结

Kubernetes之(十六)Dashboard认证访问

Dashboard:https://github.com/kubernetes/dashboard

Dashboard部署

下载yaml文件



1
2
1[root@master manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

2

查看yaml
deployment的image需要从k8s.gcr.io仓库下载,国内无法拉取成功。两种方法:

  1. 提前在node节点拉取镜像kubernetes-dashboard-amd64:v1.10.1, 然后docker tag修改标签。

  2. 直接把yaml文件内的image修改为可用的仓库,



1
2
3
4
5
6
1[root@master manifests]# vim kubernetes-dashboard.yaml

2......

3        #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

4        image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我自己的dockerhub仓库

5......

6

其中 yaml文件种的service配置没有指定type,此时我们需要指定为NodePort才能使用外部访问



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1......

2kind: Service

3apiVersion: v1

4metadata:

5  labels:

6    k8s-app: kubernetes-dashboard

7  name: kubernetes-dashboard

8  namespace: kube-system

9spec:

10  ports:

11    - port: 443

12      targetPort: 8443

13  selector:

14    k8s-app: kubernetes-dashboard

15  type: NodePort

16  ......

17

执行



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
1[root@master manifests]# kubectl apply -f kubernetes-dashboard.yaml 

2secret/kubernetes-dashboard-certs created

3serviceaccount/kubernetes-dashboard created

4role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

5rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

6deployment.apps/kubernetes-dashboard created

7service/kubernetes-dashboard created

8

9[root@master manifests]# kubectl get pods -n kube-system

10NAME                                   READY   STATUS    RESTARTS   AGE

11coredns-78d4cf999f-6cb69               1/1     Running   0          11d

12coredns-78d4cf999f-tflpn               1/1     Running   0          11d

13etcd-master                            1/1     Running   0          11d

14kube-apiserver-master                  1/1     Running   0          11d

15kube-controller-manager-master         1/1     Running   0          11d

16kube-flannel-ds-amd64-gtv85            1/1     Running   0          11d

17kube-flannel-ds-amd64-gwbql            1/1     Running   1          11d

18kube-flannel-ds-amd64-ml7nf            1/1     Running   0          11d

19kube-proxy-ch4vp                       1/1     Running   0          11d

20kube-proxy-cz2rf                       1/1     Running   1          11d

21kube-proxy-kdp7d                       1/1     Running   0          11d

22kube-scheduler-master                  1/1     Running   0          11d

23kubernetes-dashboard-6f9998798-klf4t   1/1     Running   0          2m46s

24

25[root@master manifests]# kubectl get svc -n kube-system

26NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE

27kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   11d

28kubernetes-dashboard   NodePort    10.104.230.45   <none>        443:30650/TCP   43s

29

浏览器访问 https://10.0.0.10:30650 ,注意这里的https证书是不安全的,谷歌浏览器会禁止访问,此时建议使用火狐,并且需要在高级选项中认证。
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http):

token认证

  1. 创建dashboard专用证书



1
2
3
4
5
6
7
1[root@master manifests]# cd /etc/kubernetes/pki/

2[root@master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)

3Generating RSA private key, 2048 bit long modulus

4...................................................................+++

5.......+++

6e is 65537 (0x10001)

7

  1. 证书签署请求



1
2
3
1[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #如果以后需要域名访问 /CN需要和域名一致

2

3

  1. 签署证书



1
2
3
4
5
1[root@master pki]# openssl x509 -req -in dashboard.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650                                      

2Signature ok

3subject=/O=white/CN=dasnboard

4Getting CA Private Key

5

  1. 定义令牌方式仅能访问default名称空间



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
1[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key

2secret/dashboard-cert created

3

4[root@master pki]# kubectl get secret -n kube-system |grep dashboard

5dashboard-cert                                   Opaque                                2      25s

6kubernetes-dashboard-certs                       Opaque                                0      101m

7kubernetes-dashboard-key-holder                  Opaque                                2      100m

8kubernetes-dashboard-token-4pln6                 kubernetes.io/service-account-token   3      101m

9

10#创建serviceaccount

11[root@master pki]# kubectl create serviceaccount def-ns-admin -n default

12serviceaccount/def-ns-admin created

13

14 #service account账户绑定到集群角色admin

15[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin

16rolebinding.rbac.authorization.k8s.io/def-ns-admin created

17

18[root@master pki]# kubectl get secret

19NAME                       TYPE                                  DATA   AGE

20admin-token-sswgb          kubernetes.io/service-account-token   3      4d1h

21def-ns-admin-token-p5nxf   kubernetes.io/service-account-token   3      74s

22default-token-dqd2f        kubernetes.io/service-account-token   3      11d

23mysql-root-password        Opaque                                1      5d

24tomcat-ingress-secret      kubernetes.io/tls                     2      6d5h

25[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf

26Name:         def-ns-admin-token-p5nxf

27Namespace:    default

28Labels:       <none>

29Annotations:  kubernetes.io/service-account.name: def-ns-admin

30              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

31

32Type:  kubernetes.io/service-account-token

33

34Data

35====

36ca.crt:     1025 bytes

37namespace:  7 bytes

38token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

39

将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:

kube-config认证

  1. 配置def-ns-admin的集群信息



1
2
3
1[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf

2Cluster "kubernetes" set.

3

  1. 使用token写入集群验证



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1[root@master pki]# kubectl config set-credentials -h   #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken

2

3[root@master pki]#  kubectl describe secret def-ns-admin-token-p5nxf

4Name:         def-ns-admin-token-p5nxf

5Namespace:    default

6Labels:       <none>

7Annotations:  kubernetes.io/service-account.name: def-ns-admin

8              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

9

10Type:  kubernetes.io/service-account-token

11

12Data

13====

14ca.crt:     1025 bytes

15namespace:  7 bytes

16token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

17

18#此处token是base64编码,此处需要进行解码操作

19[root@master pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d

20eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

21

22#配置token信息

23[root@master pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw  --kubeconfig=/root/def-ns-admin.conf 

24User "def-ns-admin" set.

25

  1. 配置上下文和当前上下文



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1[root@master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 

2Context "def-ns-admin@kubernetes" created.

3

4[root@master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 

5apiVersion: v1

6clusters:

7- cluster:

8    certificate-authority-data: DATA+OMITTED

9    server: https://10.0.0.10:6443

10  name: kubernetes

11contexts:

12- context:

13    cluster: kubernetes

14    user: def-ns-admin

15  name: def-ns-admin@kubernetes

16current-context: ""

17kind: Config

18preferences: {}

19users:

20- name: def-ns-admin

21  user:

22    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

23

将/root/def-ns-admin.conf文件发送到宿主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问,如图:

总结

  1. 部署dashboard的时候,官方的yaml文件内Deployment的image文件需要换成国内的源,(xiaobai20201 个人仓库)
  2. 官方的yaml文件内Service内spec.type要修改为NodePort。
  3. 认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
  • token:

  1. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;

    1. 获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
    2. 复制token到认证页面即可登录。

  2. kubeconfig:把ServiceAccount的token封装为kubeconfig文件

  3. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;

  4. kubectl get secret |awk '/^ServiceAccount/{print $1}' KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)

  5. 生成kubeconfig文件



1
2
3
4
5
1kubectl config set-cluster

2kubectl config set-credentials NAME --token=$KUBE_TOKEN

3kubectl config set-context

4kubectl config use-context

5

Related posts:

  1. Kubernetes从部署到运维详解
  2. Kubernetes入门
  3. Kubernetes之(二十)Helm程序包管理器
  4. Kubernetes之(四)kubeadm部署集群

给TA打赏
共{{data.count}}人
人已打赏
[db:标签]dnsdockerHTTPSkube-proxyKubernetesmysql仓库域名安全
安全运维

故障复盘的简洁框架-黄金三问

2021-9-30 19:18:23

安全运维

OpenSSH-8.7p1离线升级修复安全漏洞

2021-10-23 10:13:25

猜你喜欢

Kubernetes入门

029

解锁会员权限

开通会员

解锁海量优质VIP资源

立刻开通
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索

  • 扫码打开当前页

返回顶部