目录
-
Kubernetes之(十六)Dashboard认证访问
-
Dashboard部署
-
token认证
-
kube-config认证
-
总结
-
Kubernetes之(十六)Dashboard认证访问
Dashboard:https://github.com/kubernetes/dashboard
Dashboard部署
下载yaml文件
1
2 1[root@master manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
2
查看yaml
deployment的image需要从k8s.gcr.io仓库下载,国内无法拉取成功。两种方法:
-
提前在node节点拉取镜像kubernetes-dashboard-amd64:v1.10.1, 然后docker tag修改标签。
-
直接把yaml文件内的image修改为可用的仓库,
1
2
3
4
5
6 1[root@master manifests]# vim kubernetes-dashboard.yaml
2......
3 #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
4 image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我自己的dockerhub仓库
5......
6
其中 yaml文件种的service配置没有指定type,此时我们需要指定为NodePort才能使用外部访问
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 1......
2kind: Service
3apiVersion: v1
4metadata:
5 labels:
6 k8s-app: kubernetes-dashboard
7 name: kubernetes-dashboard
8 namespace: kube-system
9spec:
10 ports:
11 - port: 443
12 targetPort: 8443
13 selector:
14 k8s-app: kubernetes-dashboard
15 type: NodePort
16 ......
17
执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29 1[root@master manifests]# kubectl apply -f kubernetes-dashboard.yaml
2secret/kubernetes-dashboard-certs created
3serviceaccount/kubernetes-dashboard created
4role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
5rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
6deployment.apps/kubernetes-dashboard created
7service/kubernetes-dashboard created
8
9[root@master manifests]# kubectl get pods -n kube-system
10NAME READY STATUS RESTARTS AGE
11coredns-78d4cf999f-6cb69 1/1 Running 0 11d
12coredns-78d4cf999f-tflpn 1/1 Running 0 11d
13etcd-master 1/1 Running 0 11d
14kube-apiserver-master 1/1 Running 0 11d
15kube-controller-manager-master 1/1 Running 0 11d
16kube-flannel-ds-amd64-gtv85 1/1 Running 0 11d
17kube-flannel-ds-amd64-gwbql 1/1 Running 1 11d
18kube-flannel-ds-amd64-ml7nf 1/1 Running 0 11d
19kube-proxy-ch4vp 1/1 Running 0 11d
20kube-proxy-cz2rf 1/1 Running 1 11d
21kube-proxy-kdp7d 1/1 Running 0 11d
22kube-scheduler-master 1/1 Running 0 11d
23kubernetes-dashboard-6f9998798-klf4t 1/1 Running 0 2m46s
24
25[root@master manifests]# kubectl get svc -n kube-system
26NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
27kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 11d
28kubernetes-dashboard NodePort 10.104.230.45 <none> 443:30650/TCP 43s
29
浏览器访问 https://10.0.0.10:30650 ,注意这里的https证书是不安全的,谷歌浏览器会禁止访问,此时建议使用火狐,并且需要在高级选项中认证。
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http):
token认证
-
创建dashboard专用证书
1
2
3
4
5
6
7 1[root@master manifests]# cd /etc/kubernetes/pki/
2[root@master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
3Generating RSA private key, 2048 bit long modulus
4...................................................................+++
5.......+++
6e is 65537 (0x10001)
7
-
证书签署请求
1
2
3 1[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #如果以后需要域名访问 /CN需要和域名一致
2
3
-
签署证书
1
2
3
4
5 1[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
2Signature ok
3subject=/O=white/CN=dasnboard
4Getting CA Private Key
5
-
定义令牌方式仅能访问default名称空间
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39 1[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key
2secret/dashboard-cert created
3
4[root@master pki]# kubectl get secret -n kube-system |grep dashboard
5dashboard-cert Opaque 2 25s
6kubernetes-dashboard-certs Opaque 0 101m
7kubernetes-dashboard-key-holder Opaque 2 100m
8kubernetes-dashboard-token-4pln6 kubernetes.io/service-account-token 3 101m
9
10#创建serviceaccount
11[root@master pki]# kubectl create serviceaccount def-ns-admin -n default
12serviceaccount/def-ns-admin created
13
14 #service account账户绑定到集群角色admin
15[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
16rolebinding.rbac.authorization.k8s.io/def-ns-admin created
17
18[root@master pki]# kubectl get secret
19NAME TYPE DATA AGE
20admin-token-sswgb kubernetes.io/service-account-token 3 4d1h
21def-ns-admin-token-p5nxf kubernetes.io/service-account-token 3 74s
22default-token-dqd2f kubernetes.io/service-account-token 3 11d
23mysql-root-password Opaque 1 5d
24tomcat-ingress-secret kubernetes.io/tls 2 6d5h
25[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf
26Name: def-ns-admin-token-p5nxf
27Namespace: default
28Labels: <none>
29Annotations: kubernetes.io/service-account.name: def-ns-admin
30 kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
31
32Type: kubernetes.io/service-account-token
33
34Data
35====
36ca.crt: 1025 bytes
37namespace: 7 bytes
38token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
39
将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:
kube-config认证
-
配置def-ns-admin的集群信息
1
2
3 1[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
2Cluster "kubernetes" set.
3
-
使用token写入集群验证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 1[root@master pki]# kubectl config set-credentials -h #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken
2
3[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf
4Name: def-ns-admin-token-p5nxf
5Namespace: default
6Labels: <none>
7Annotations: kubernetes.io/service-account.name: def-ns-admin
8 kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
9
10Type: kubernetes.io/service-account-token
11
12Data
13====
14ca.crt: 1025 bytes
15namespace: 7 bytes
16token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
17
18#此处token是base64编码,此处需要进行解码操作
19[root@master pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d
20eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
21
22#配置token信息
23[root@master pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw --kubeconfig=/root/def-ns-admin.conf
24User "def-ns-admin" set.
25
-
配置上下文和当前上下文
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 1[root@master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
2Context "def-ns-admin@kubernetes" created.
3
4[root@master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
5apiVersion: v1
6clusters:
7- cluster:
8 certificate-authority-data: DATA+OMITTED
9 server: https://10.0.0.10:6443
10 name: kubernetes
11contexts:
12- context:
13 cluster: kubernetes
14 user: def-ns-admin
15 name: def-ns-admin@kubernetes
16current-context: ""
17kind: Config
18preferences: {}
19users:
20- name: def-ns-admin
21 user:
22 token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
23
将/root/def-ns-admin.conf文件发送到宿主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问,如图:
总结
- 部署dashboard的时候,官方的yaml文件内Deployment的image文件需要换成国内的源,(xiaobai20201 个人仓库)
- 官方的yaml文件内Service内spec.type要修改为NodePort。
- 认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
- token:
-
创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
- 获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
- 复制token到认证页面即可登录。
-
kubeconfig:把ServiceAccount的token封装为kubeconfig文件
-
创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
-
kubectl get secret |awk '/^ServiceAccount/{print $1}' KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
-
生成kubeconfig文件
1
2
3
4
5 1kubectl config set-cluster
2kubectl config set-credentials NAME --token=$KUBE_TOKEN
3kubectl config set-context
4kubectl config use-context
5