1. 程式人生 > >kubernetes dashboard 1.8 訪問認證 ——config檔案訪問

kubernetes dashboard 1.8 訪問認證 ——config檔案訪問

1 建立角色和角色繫結

例如,建立cms使用者

A 建立角色cms
cms-role-cms.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cms
  namespace: cms
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch

B 建立角色繫結 
cms-rolebinding-cms.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cms
  namespace: cms
subjects:
- kind: User
  name: cms # 目標使用者
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: cms # 角色資訊
  apiGroup: rbac.authorization.k8s.io

執行建立

kubectl create -f cms-role-cms.yaml
kubectl create -f cms-rolebinding-cms.yaml

2  建立token(也就是secret)

kubernetes-dashboard-cms-rbac.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-cms
  namespace: cms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-cms
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cms
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard-cms
  namespace: cms

執行建立

kubectl create -f kubernetes-dashboard-cms-rbac.yaml

3 建立config檔案

A 證書內容
cms-csr.json

{
  "CN": "cms",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

B 建立config檔案指令碼
userconfig.sh

for targetName in cms; do
cfssl gencert --ca k8s-root-ca.pem --ca-key k8s-root-ca-key.pem --config k8s-gencert.json --profile kubernetes $targetName-csr.json | cfssljson --bare $targetName
echo "Create $targetName kubeconfig..."
kubectl config set-cluster kubernetes --certificate-authority=k8s-root-ca.pem --embed-certs=true --server=https://*.*.*.*:6443 --kubeconfig=$targetName.kubeconfig
kubectl config set-credentials $targetName --client-certificate=$targetName.pem --client-key=$targetName-key.pem --embed-certs=true --kubeconfig=$targetName.kubeconfig
kubectl config set-context kubernetes --cluster=kubernetes --user=$targetName --kubeconfig=$targetName.kubeconfig
kubectl config use-context kubernetes --kubeconfig=$targetName.kubeconfig
done

如上指令碼是一個for迴圈,適用於建立多個許可權的config檔案。

執行指令碼建立config檔案。

chmod +x userconfig.sh
./userconfig.sh

如上執行後會生成一個cms.kubeconfig檔案。

4 config檔案中新增token

獲取建立的token內容

kubectl -n cms describe secret $(kubectl -n cms get secret | grep kubernetes-dashboard | awk '{print $1}')

將獲取到的token貼上到步驟3生成的cms.kubeconfig檔案中

得到如下:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ************************BDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVWGRFMkozQ0RGdmZmcmRDbS9Ua2ROSE9pZ3Ywd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNZMjR4RURBT0JnTlZCQWdUQjNScFlXNXFhV*****RBT0JnTlZCQWNUQjNScApZVzVxYVc0eEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HYzNsemRHVnRNUk13RVFZRF**********************
    server: https://*.*.*.*:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: cms
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: cms
  user:
    as-user-extra: {}
    client-certificate-data: ******************************nVGUGVrcjRhaG5VbVEvc2s1YXZQa3MyMgo3aEVvRFh6TUwwbzUxL3I5TTRFdVRqdTZQb0V1SFFSZHIydy9IaFZZaGM5SEdKamlyR1J2a1lTYWZLMnRmZ1dLCjhyZ3o5WVdnOUpvWXJvQTllWUFvV21DR2hERFpmeVNvSmFMQ2tqVThCK3U3TXJSV********************
    client-key-data: *******************************kQTh3L1RPS3hsMXRoTU43ZGFoVHYzQm1CclJnNnNGd1VwQy9yS0Y3Ci9BWFNzM2ZBczVzZmJCOTZQN3lXeXNrQ2dZRUFqd0REWEZVWWdjcllJY1B6UEhtRGtkYU1scnBnNmR2UmlDeEEKRUdKb295Z2Q1cUFGU3hHQ1orODY4ZEt0YVZ6VTZ4WFh********************
    token: ****************************************8YQPdhiRvaKlwq1o1vX1ROX_L8GZpy0Ech-kCk9DfPpGuiPDedWxiLCbS6TaCVUH2v1LDpQwCutWLsknbaxv_-TnlQeXQs1***************

此時的config檔案即可訪問kubernetes的dashboard介面。