Kubernetes之(十六)Dashboard認證訪問
阿新 • • 發佈:2019-04-12
node 宿主機 ati 作用 註意 umask board pps long
目錄
- Kubernetes之(十六)Dashboard認證訪問
- Dashboard部署
- token認證
- kube-config認證
- 總結
Kubernetes之(十六)Dashboard認證訪問
Dashboard:https://github.com/kubernetes/dashboard
Dashboard部署
下載yaml文件
[[email protected] manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
查看yaml
deployment的image需要從k8s.gcr.io倉庫下載,國內無法拉取成功。兩種方法:
- 提前在node節點拉取鏡像kubernetes-dashboard-amd64:v1.10.1, 然後docker tag修改標簽。
- 直接把yaml文件內的image修改為可用的倉庫,
[[email protected] manifests]# vim kubernetes-dashboard.yaml ...... #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我自己的dockerhub倉庫 ......
其中 yaml文件種的service配置沒有指定type,此時我們需要指定為NodePort才能使用外部訪問
...... kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard type: NodePort ......
執行
[[email protected] manifests]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[[email protected] manifests]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78d4cf999f-6cb69 1/1 Running 0 11d
coredns-78d4cf999f-tflpn 1/1 Running 0 11d
etcd-master 1/1 Running 0 11d
kube-apiserver-master 1/1 Running 0 11d
kube-controller-manager-master 1/1 Running 0 11d
kube-flannel-ds-amd64-gtv85 1/1 Running 0 11d
kube-flannel-ds-amd64-gwbql 1/1 Running 1 11d
kube-flannel-ds-amd64-ml7nf 1/1 Running 0 11d
kube-proxy-ch4vp 1/1 Running 0 11d
kube-proxy-cz2rf 1/1 Running 1 11d
kube-proxy-kdp7d 1/1 Running 0 11d
kube-scheduler-master 1/1 Running 0 11d
kubernetes-dashboard-6f9998798-klf4t 1/1 Running 0 2m46s
[[email protected] manifests]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 11d
kubernetes-dashboard NodePort 10.104.230.45 <none> 443:30650/TCP 43s瀏覽器訪問 https://10.0.0.10:30650 ,註意這裏的https證書是不安全的,谷歌瀏覽器會禁止訪問,此時建議使用火狐,並且需要在高級選項中認證。
在k8s中 dashboard可以有兩種訪問方式:kubeconfig(HTTPS)和token(http):
token認證
- 創建dashboard專用證書
[[email protected] manifests]# cd /etc/kubernetes/pki/
[[email protected] pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................+++
.......+++
e is 65537 (0x10001)- 證書簽署請求
[[email protected] pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #如果以後需要域名訪問 /CN需要和域名一致
- 簽署證書
[[email protected] pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
Signature ok
subject=/O=white/CN=dasnboard
Getting CA Private Key- 定義令牌方式僅能訪問default名稱空間
[[email protected] pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key
secret/dashboard-cert created
[[email protected] pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-cert Opaque 2 25s
kubernetes-dashboard-certs Opaque 0 101m
kubernetes-dashboard-key-holder Opaque 2 100m
kubernetes-dashboard-token-4pln6 kubernetes.io/service-account-token 3 101m
#創建serviceaccount
[[email protected] pki]# kubectl create serviceaccount def-ns-admin -n default
serviceaccount/def-ns-admin created
#service account賬戶綁定到集群角色admin
[[email protected] pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created
[[email protected] pki]# kubectl get secret
NAME TYPE DATA AGE
admin-token-sswgb kubernetes.io/service-account-token 3 4d1h
def-ns-admin-token-p5nxf kubernetes.io/service-account-token 3 74s
default-token-dqd2f kubernetes.io/service-account-token 3 11d
mysql-root-password Opaque 1 5d
tomcat-ingress-secret kubernetes.io/tls 2 6d5h
[[email protected] pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name: def-ns-admin-token-p5nxf
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw將該token復制後,填入驗證,要知道的是,該token認證僅可以查看default名稱空間的內容,如下圖:
kube-config認證
- 配置def-ns-admin的集群信息
[[email protected] pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.- 使用token寫入集群驗證
[[email protected] pki]# kubectl config set-credentials -h #認證的方式可以通過crt和key文件,也可以使用token進行配置,這裏使用tonken
[[email protected] pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name: def-ns-admin-token-p5nxf
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
#此處token是base64編碼,此處需要進行解碼操作
[[email protected] pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw
#配置token信息
[[email protected] pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set.- 配置上下文和當前上下文
[[email protected] ~]# kubectl config set-context [email protected] --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
Context "[email protected]" created.
[[email protected] ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: [email protected]
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw將/root/def-ns-admin.conf文件發送到宿主機,瀏覽器訪問時選擇Kubeconfig認證,載入該配置文件,點擊登陸,即可實現訪問,如圖:
總結
- 部署dashboard的時候,官方的yaml文件內Deployment的image文件需要換成國內的源,(xiaobai20201 個人倉庫)
- 官方的yaml文件內Service內spec.type要修改為NodePort。
- 認證時的賬號必須為ServiceAccount:其作用是被dashboard pod拿來由kubenetes進行認證;認證方式有2種:
- token:
- 創建ServiceAccount,根據其管理目標,使用rolebinding或clusterbinding綁定至合理的role或clusterrole;
- 獲取此ServiceAccount的secret,查看secret的詳細信息,其中就有token;
- 復制token到認證頁面即可登錄。
- kubeconfig:把ServiceAccount的token封裝為kubeconfig文件
- 創建ServiceAccount,根據其管理目標,使用rolebinding或clusterbinding綁定至合理的role或clusterrole;
- kubectl get secret |awk ‘/^ServiceAccount/{print $1}‘ KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
- 生成kubeconfig文件
kubectl config set-cluster
kubectl config set-credentials NAME --token=$KUBE_TOKEN
kubectl config set-context
kubectl config use-context參考資料
https://www.cnblogs.com/linuxk
馬永亮. Kubernetes進階實戰 (雲計算與虛擬化技術叢書)
Kubernetes-handbook-jimmysong-20181218
Kubernetes之(十六)Dashboard認證訪問