Kubernetes之(十六)Dashboard認證訪問

時間  2019-11-12
標籤 kubernetes 十六 dashboard 認證 訪問 简体版
原文   原文鏈接

目錄node

Kubernetes之(十六)Dashboard認證訪問

Dashboard:https://github.com/kubernetes/dashboardmysql

Dashboard部署

下載yaml文件linux

[root@master manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

查看yaml
deployment的image須要從k8s.gcr.io倉庫下載,國內沒法拉取成功。兩種方法:git

  1. 提早在node節點拉取鏡像kubernetes-dashboard-amd64:v1.10.1, 而後docker tag修改標籤。
  2. 直接把yaml文件內的image修改成可用的倉庫,
[root@master manifests]# vim kubernetes-dashboard.yaml
......
        #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我本身的dockerhub倉庫
......

其中 yaml文件種的service配置沒有指定type,此時咱們須要指定爲NodePort才能使用外部訪問github

......
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort
  ......

執行sql

[root@master manifests]# kubectl apply -f kubernetes-dashboard.yaml 
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created

[root@master manifests]# kubectl get pods -n kube-system
NAME                                   READY   STATUS    RESTARTS   AGE
coredns-78d4cf999f-6cb69               1/1     Running   0          11d
coredns-78d4cf999f-tflpn               1/1     Running   0          11d
etcd-master                            1/1     Running   0          11d
kube-apiserver-master                  1/1     Running   0          11d
kube-controller-manager-master         1/1     Running   0          11d
kube-flannel-ds-amd64-gtv85            1/1     Running   0          11d
kube-flannel-ds-amd64-gwbql            1/1     Running   1          11d
kube-flannel-ds-amd64-ml7nf            1/1     Running   0          11d
kube-proxy-ch4vp                       1/1     Running   0          11d
kube-proxy-cz2rf                       1/1     Running   1          11d
kube-proxy-kdp7d                       1/1     Running   0          11d
kube-scheduler-master                  1/1     Running   0          11d
kubernetes-dashboard-6f9998798-klf4t   1/1     Running   0          2m46s

[root@master manifests]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   11d
kubernetes-dashboard   NodePort    10.104.230.45   <none>        443:30650/TCP   43s

瀏覽器訪問 https://10.0.0.10:30650 ,注意這裏的https證書是不安全的,谷歌瀏覽器會禁止訪問,此時建議使用火狐,而且須要在高級選項中認證。

在k8s中 dashboard能夠有兩種訪問方式:kubeconfig(HTTPS)和token(http):docker

token認證

  1. 建立dashboard專用證書
[root@master manifests]# cd /etc/kubernetes/pki/
[root@master pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................+++
.......+++
e is 65537 (0x10001)
  1. 證書籤署請求
[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #若是之後須要域名訪問 /CN須要和域名一致
  1. 簽署證書
[root@master pki]# openssl x509 -req -in dashboard.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650                                      
Signature ok
subject=/O=white/CN=dasnboard
Getting CA Private Key
  1. 定義令牌方式僅能訪問default名稱空間
[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key
secret/dashboard-cert created

[root@master pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-cert                                   Opaque                                2      25s
kubernetes-dashboard-certs                       Opaque                                0      101m
kubernetes-dashboard-key-holder                  Opaque                                2      100m
kubernetes-dashboard-token-4pln6                 kubernetes.io/service-account-token   3      101m

#建立serviceaccount
[root@master pki]# kubectl create serviceaccount def-ns-admin -n default
serviceaccount/def-ns-admin created

 #service account帳戶綁定到集羣角色admin
[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created

[root@master pki]# kubectl get secret
NAME                       TYPE                                  DATA   AGE
admin-token-sswgb          kubernetes.io/service-account-token   3      4d1h
def-ns-admin-token-p5nxf   kubernetes.io/service-account-token   3      74s
default-token-dqd2f        kubernetes.io/service-account-token   3      11d
mysql-root-password        Opaque                                1      5d
tomcat-ingress-secret      kubernetes.io/tls                     2      6d5h
[root@master pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name:         def-ns-admin-token-p5nxf
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

將該token複製後,填入驗證,要知道的是,該token認證僅能夠查看default名稱空間的內容,以下圖:
json

kube-config認證

  1. 配置def-ns-admin的集羣信息
[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.
  1. 使用token寫入集羣驗證
[root@master pki]# kubectl config set-credentials -h   #認證的方式能夠經過crt和key文件,也可使用token進行配置,這裏使用tonken

[root@master pki]#  kubectl describe secret def-ns-admin-token-p5nxf
Name:         def-ns-admin-token-p5nxf
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

#此處token是base64編碼,此處須要進行解碼操做
[root@master pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

#配置token信息
[root@master pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw  --kubeconfig=/root/def-ns-admin.conf 
User "def-ns-admin" set.
  1. 配置上下文和當前上下文
[root@master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 
Context "def-ns-admin@kubernetes" created.

[root@master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://10.0.0.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: def-ns-admin
  name: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

將/root/def-ns-admin.conf文件發送到宿主機,瀏覽器訪問時選擇Kubeconfig認證,載入該配置文件,點擊登錄,便可實現訪問,如圖:vim

總結

  1. 部署dashboard的時候,官方的yaml文件內Deployment的image文件須要換成國內的源,(xiaobai20201 我的倉庫)
  2. 官方的yaml文件內Service內spec.type要修改成NodePort。
  3. 認證時的帳號必須爲ServiceAccount:其做用是被dashboard pod拿來由kubenetes進行認證;認證方式有2種:
  • token:
    1. 建立ServiceAccount,根據其管理目標,使用rolebinding或clusterbinding綁定至合理的role或clusterrole;
    2. 獲取此ServiceAccount的secret,查看secret的詳細信息,其中就有token;
    3. 複製token到認證頁面便可登陸。
  • kubeconfig:把ServiceAccount的token封裝爲kubeconfig文件
  1. 建立ServiceAccount,根據其管理目標,使用rolebinding或clusterbinding綁定至合理的role或clusterrole;
  2. kubectl get secret |awk '/^ServiceAccount/{print $1}' KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
  3. 生成kubeconfig文件
kubectl config set-cluster
kubectl config set-credentials NAME --token=$KUBE_TOKEN
kubectl config set-context
kubectl config use-context
參考資料

https://www.cnblogs.com/linuxk
馬永亮. Kubernetes進階實戰 (雲計算與虛擬化技術叢書)
Kubernetes-handbook-jimmysong-20181218api

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程