PancrasL的博客

kubernetes dashboard 的登录配置

2020-09-22

kubernetes-dashboard-login

1. kubernetes dashboard

kubernetes dashboard提供了两种登录方式:

  • kubeconfig
  • 令牌

下面将对这两种登录方式进行介绍。

kubernetes-dashboard-login
图1-1 kubernetes dashboard的登录界面

1.1 令牌登录

令牌登录就是使用serviceAccount账户的token值登录,在kubernetes中,每个serviceAccount(简称sa)账户都对应一个token值,我们就可以使用该值进行登录。需要注意的是,使用token登录只具有view权限,不能在dashboard中删除或创建pod。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
###############################################
# 查看sa账户
###############################################
$ kubectl get sa
NAME      SECRETS   AGE
default   1         38d

###############################################
# 获取详细的sa账户信息
###############################################
$ kubectl describe sa default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-j27f2
Tokens:              default-token-j27f2
Events:              <none>

###############################################
# 获取sa账户的token
###############################################
$ kubectl describe secret default-token-j27f2 | awk '$1=="token:"{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tajI3ZjIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFjOWE3NjY1LTk3ZmEtNDk1MC05NjBlLTIxNThkNWFiOWMwYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.IJYDGgXRrH--GRiiz2P18RyozsjvIsLIwxVO7azfCUPkjeyjSIwbUrlH75Uxo3LXrQvvSKMKnJOyPovQ7K_zV3Ot0ufjjsoM3IZe3LZllr09JR70AvJkdckXjRnK7QeKoZRJNVKQt45emRCd9PKCbc8m8u3pianRwJWlPBXCTa-uyxWbsgoKXJXBD2HvgkphPDTLKjYQKPvvh6nSs2vfvX2MPaG98njY6F27W-1YFchgo_df3rFS-SoMlXVlizJsjOV-vr1Kye6EFGBI33fHXFCkCxaHE2cpmFtD_bbHZEHK8BdPXT5a5ER19ODlbtPZ8r3ngk8eWqpaSebHv2wWIg

1.2 kubeconfig登录

kubeconfig文件就是kubect登录使用的验证文件, 一般位于~/.kube/config。如果没有的话需要使用kubectl config命令生成,这里不再详细介绍。

  • 获取kubeconfig文件内容

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    $ kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.0.3:6443
      name: cluster.local
    contexts:
    - context:
        cluster: cluster.local
        user: kubernetes-admin
      name: kubernetes-admin@cluster.local
    current-context: kubernetes-admin@cluster.local
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED

  • 获取sa账户token

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    ###############################################
    # 查看sa账户
    ###############################################
    $ kubectl get sa
    NAME      SECRETS   AGE
    default   1         38d

    ###############################################
    # 查看default账户的secret
    ###############################################
    $ kubectl describe secret default | awk '$1=="token:"{print $2}'
    eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tajI3ZjIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFjOWE3NjY1LTk3ZmEtNDk1MC05NjBlLTIxNThkNWFiOWMwYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.IJYDGgXRrH--GRiiz2P18RyozsjvIsLIwxVO7azfCUPkjeyjSIwbUrlH75Uxo3LXrQvvSKMKnJOyPovQ7K_zV3Ot0ufjjsoM3IZe3LZllr09JR70AvJkdckXjRnK7QeKoZRJNVKQt45emRCd9PKCbc8m8u3pianRwJWlPBXCTa-uyxWbsgoKXJXBD2HvgkphPDTLKjYQKPvvh6nSs2vfvX2MPaG98njY6F27W-1YFchgo_df3rFS-SoMlXVlizJsjOV-vr1Kye6EFGBI33fHXFCkCxaHE2cpmFtD_bbHZEHK8BdPXT5a5ER19ODlbtPZ8r3ngk8eWqpaSebHv2wWIg

  • 向kubeconfig文件中添加token

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.0.3:6443
      name: cluster.local
    contexts:
    - context:
        cluster: cluster.local
        user: kubernetes-admin
      name: kubernetes-admin@cluster.local
    current-context: kubernetes-admin@cluster.local
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
        token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTJnNTZ6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3M2M1NjI1Yi1mYWJkLTQzZTUtYjY5Ny0yMWY4MDQ2MDg2YTUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.Oh9HH5n2QswxakCiBalXyg71P2VMv_CG5NMjmFyK6Fj_gVnUxsIRGNV3z08QMMVE-d3ZyWP-N8xL-MX2aFyoxV4XwjcJh0c8WYMdVdTQzDBJoAf7x9xbI2faduMIrb1c2WgbF74PMRS8yufR3WlSERySDgWWJnhyLvdiNN0HNoS2J2o72AounyXOD5O0GLiKSZujAUV7HH_6pLZ_W6bGlJjMzma68OLlN5sWoikAhHP1MdbwBVpPbMhnl5cbP4rg5Hs_cMr6Wlhw9j2Mi7CGnYI3JVop23ESwoAJmqNX-5ANQ6015KVBmP7_l9_qIikVSCtP9cTErK9gqXQD90YQ3g
  • 角色绑定(如果不执行登录后会提示权限不足),即将sa和role进行绑定
1
$ kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=default:default
  • 使用kubeconfig文件进行登录

附录

最后贴一下kubernetes dashboard的部署文件(基于kubernetesui/dashboard:v2.0.0-beta8)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f <this_file>

---
# ------------------- Dashboard Secrets ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kube-system
type: Opaque
data:
  csrf: ""

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard ConfigMap ------------------- #
kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kube-system

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
# Allows users to reach login page and other proxied dashboard URLs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      priorityClassName: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: kubernetesui/dashboard:v2.0.0-beta8
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 100m
            memory: 256M
          requests:
            cpu: 50m
            memory: 64M
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          - --authentication-mode=token          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
          - --token-ttl=900
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30012      # 节点的端口
  selector:
    k8s-app: kubernetes-dashboard
Tags: all kubernetes dashboard
OpenStack Swift中间件的原理及编写方式 修改 kubeless python 运行时Http请求大小限制