dashbord是作为一个pod来运行,需要serviceaccount账号来登录。

先给dashboad创建一个专用的认证信息。

先建立私钥:

1

2

3

4

5

[root@master ~]# cd /etc/kubernetes/pki/

[root@master pki]# (umask077; openssl genrsa -out dashboard.key2048)

Generating RSA private key,2048 bit long modulus

.............................................................................................................................+++

.................................+++

建立一个证书签署请求:

1

[root@master pki]# openssl req -new -key dashboard.key  -out dashboard.csr -subj"/O=zhixin/CN=dashboard"

下面开始签署证书:

1

2

3

4

[root@master pki]# openssl  x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out dashboard.crt -days365

Signature ok

subject=/O=zhixin/CN=dashboard

Getting CA Private Key

把上面生成的私钥和证书创建成secret

1

2

[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key

secret/dashboard-cert created

1

2

[root@master pki]# kubectl get secret -n kube-system |grep dashboard

dashboard-cert                                   Opaque2         5m

创建一个serviceaccount,因为dashborad需要serviceaccount(pod之间登录验证的用户)验证登录。

1

2

[root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-system

serviceaccount/dashboard-admin created

1

2

[root@master pki]# kubectl get sa -n kube-system |grep admin

dashboard-admin1         23s

下面通过clusterrolebinding把dashboard-admin加入到clusterrole里面。

1

2

[root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created

这样serviceaccount 用户dashboard-admin就拥有了管理所有集群的权限。

1

2

[root@master pki]# kubectl get secret -n kube-system |grep dashboard

dashboard-admin-token-hfxg9                      kubernetes.io/service-account-token3         7m

1

2

[root@master pki]# kubectl describe secret dashboard-admin-token-hfxg9 -n kube-system

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbJdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-aIn6LL4aekUwBqbwOLQ

上面的token就是serviceaccount用户dashboad-admin的认证令牌。

下面开始部署dashboard

1

[root@master pki]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

1

2

3

[root@master ~]# kubectl get pods -n kube-system

NAME                                   READY     STATUS    RESTARTS   AGE

kubernetes-dashboard-767dc7d4d-4mq9z1/1       Running2          2h

1

2

3

4

[root@master ~]# kubectl get svc -n kube-system

NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE

kube-dns               ClusterIP10.96.0.10    53/UDP,53/TCP21d

kubernetes-dashboard   ClusterIP10.104.8.78   443/TCP45m

1

2

[root@master ~]# kubectl  patch svc kubernetes-dashboard -p'{"spec":{"type":"NodePort"}}' -n kube-system

service/kubernetes-dashboard patched

1

2

3

4

[root@master ~]# kubectl get svc -n kube-system

NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE

kube-dns               ClusterIP10.96.0.10    53/UDP,53/TCP21d

kubernetes-dashboard   NodePort10.104.8.78   443:31647/TCP47m

这样我们就可以在集群外部使用31647端口访问dashboard了,ip就使用node master宿主机的ip。

注意,要用火狐浏览器打开,其他浏览器打不开的,注意注意!!!

45d807dcd4f832915bfa99279ffa67b6.png

425cabe13b31fe6181c08a44145c14f7.png

上面认证的方法,这个用户能看到所有集群的所有东西,是个超级管理员。下面我们再设置个用户,限定它只能访问default名称空间。

1

2

[root@master ~]# kubectl create serviceaccount def-ns-admin -ndefault

serviceaccount/def-ns-admin created

1

2

[root@master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin

rolebinding.rbac.authorization.k8s.io/def-ns-admin created

1

2

3

4

[root@master ~]# kubectl get secret

NAME                       TYPE                                  DATA      AGE

admin-token-6jpc5          kubernetes.io/service-account-token3         1d

def-ns-admin-token-646gx   kubernetes.io/service-account-token3         2m

1

2

[root@master ~]# kubectl describe secret def-ns-admin-token-646gx

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

把上面的token登录到web页面的令牌,登录进去后只能看default名称空间的内容。

3997cdfc3d0ec196bfcdfe39114d6530.png

1c911e805141a06dd8b2e3cb19d74e71.png

下面我们再用Kubeconf的方法来验证登录试试。

1

[root@master pki]# cd /etc/kubernetes/pki

1

2

[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://172.16.1.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf

Cluster"kubernetes" set.

1

2

3

4

5

6

7

8

9

10

11

12

[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf

apiVersion: v1

clusters:

- cluster:

certificate-authority-data: REDACTED

server: https://172.16.1.100:6443

name: kubernetes

contexts: []

current-context:""

kind: Config

preferences: {}

users: []

1

2

3

4

[root@master pki]# kubectl get secret

NAME                       TYPE                                  DATA      AGE

admin-token-6jpc5          kubernetes.io/service-account-token3         1d

def-ns-admin-token-646gx   kubernetes.io/service-account-token3         33m

1

2

[root@master pki]# kubectl get secret  def-ns-admin-token-646gx  -o json

"token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRqTHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh4Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="

1

[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret  def-ns-admin-token-646gx  -o jsonpath={.data.token}|base64 -d)

1

2

[root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf

User"def-ns-admin" set.

1

2

3

4

5

6

7

8

9

10

11

12

13

[root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf

apiVersion: v1

clusters:

- cluster:

certificate-authority-data: REDACTED

server: https://172.16.1.100:6443

name: kubernetes

contexts: []

current-context:""

kind: Config

preferences: {}

users:

- name: def-ns-admin

1

2

[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf

Context"def-ns-admin@kubernetes" created.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

[root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf

apiVersion: v1

clusters:

- cluster:

certificate-authority-data: REDACTED

server: https://172.16.1.100:6443

name: kubernetes

contexts:

- context:

cluster: kubernetes

user: def-ns-admin

name: def-ns-admin@kubernetes

current-context:""

kind: Config

preferences: {}

users:

- name: def-ns-admin

user:

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

1

2

[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

Switched to context"def-ns-admin@kubernetes".

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf

apiVersion: v1

clusters:

- cluster:

certificate-authority-data: REDACTED

server: https://172.16.1.100:6443

name: kubernetes

contexts:

- context:

cluster: kubernetes

user: def-ns-admin

name: def-ns-admin@kubernetes

current-context: def-ns-admin@kubernetes

kind: Config

preferences: {}

users:

- name: def-ns-admin

user:

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

这时候/root/def-ns-admin.conf文件就可以用在dashboard中,用它进行登录了。

7496c0c9b6f7a96e5e64980951a844a8.png

264dc4dfc55d35ea3b199d21997b3c8c.png

总结

1、部署:

1

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2、将service改为NodePort:

1

kubectl  patch svc kubernetes-dashboard -p'{"spec":{"type":"NodePort"}}' -n kube-system

3、认证:

认证时的账户必须为ServiceAccount:作用是被dashboard pod拿来由kubernetes进行认证。

第一种:token方式认证:

a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

b)获取到此serviceAccount的secret,查看secret的详细信息,其中就有token,粘贴到web界面的令牌里面

第二种: kubeconfig方式认证: 把serviceaccount的token封装为kubeconfig文件。

a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

b)

kubect get secret | awk '/^ServiceAccountName/{print $1}'

KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret  SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)

c) 生成kubeconfig文件

kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE

kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE

kubctl config set-context

kubectl config use-context

kubernetes集群的管理方式

1、命令式:create,run,expose,delete,edit....

2、命令式配置文件:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f

3、声明式配置文件:apply -f,patch,

一般建议不要混合使用上面三种方式。建议使用apply和patch这样的命令。

Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes