Kubernetes Dashboard 部署
部署 Dashboard
因国内无法访问国外源问题,可修改yaml
文件
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
-> gcmirrors/kubernetes-dashboard-amd64:v1.10.1
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
外部访问
LoadBalancers 方式
参考:MetalLB 负载均衡器使用介绍,修改 Service
为 type: LoadBalancers
。
kubectl -n kubernetes-dashboard patch svc/kubernetes-dashboard -p '{"spec":{"type": "LoadBalancer"}}'
NodePort 方式
# 默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部,修改kubernetes-dashboard.yaml
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
kubectl apply -f kubernetes-dashboard.yaml
kubectl patch -n kubernetes-dashboard svc kubernetes-dashboard -p '{"spec":{"type": "NodePort"}}'
# 获取对应的端口
kubectl -n kubernetes-dashboard get svc
认证
支持两种认证方式:
Token
:每个 Service Account 都有一个合法的 Bearer Token ,可用于登录 Dashboard,创建过程:- 创建 ServiceAccount,根据管理目标,使用 rolebind 或 clusterrolebinding 绑定合适的 role 或 clusterrole
- 获取此 ServiceAccount 的 secret,其中 seceret 中的 token 即为认证所有的 token
kubeconfig
:基于 kubectl 使用的 kubeconfig 文件,以配置对集群的访问权限。原理,将 ServiceAccount 的 token 封装为 kubeconfig 文件- 创建 ServiceAccount,根据管理目标,使用 rolebind 或 clusterrolebinding 绑定合适的 role 或 clusterrole
- kubectl get secret | awk ‘/^ServiceAccount/{print $1}’
- DEFAULT_NS_ADMIN_TOKEN=$(kubectl get secrets SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
- 生成 kubeconfig 文件
- kubectl config set-cluster
- kubectl config set-credentials NAME –token=$DEFAULT_NS_ADMIN_TOKEN
- kubectl config set-context
- kubectl config use-context
认证时的账号必须为 ServiceAccount
:被 dashboard pod 拿来向 Kubernetes 进行认证。
Token 认证
所有命令空间管理员
cat << EOF > kubernetes-dashboard-admin.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
EOF
$ kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
serviceaccount/dashboard-admin created
$ kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
kubectl describe secrets -n kubernetes-dashboard $(kubectl -n kubernetes-dashboard get secret | awk '/dashboard-admin-token/{print $1}')
使用输出的 token(jwt 格式) 登录Dashboard
指定命令空间管理员
以 default 命名空间为例
$ kubectl create serviceaccount default-ns-admin -n default
serviceaccount/default-ns-admin created
# rolebinding clusterrole
$ kubectl create rolebinding default-ns-admin --clusterrole=admin --serviceaccount=default:default-ns-admin
rolebinding.rbac.authorization.k8s.io/default-ns-admin created
$ kubectl describe secrets default-ns-admin-token-46rgc
使用对应的 token 登录 dashboard 只能进入 default 命名空间
kubeconfig 认证
# 配置 cluster
$ kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://172.20.0.81:6443" --embed-certs=true --kubeconfig=/root/default-ns-admin.conf
Cluster "kubernetes" set.
$ kubectl config view --kubeconfig=/root/default-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.20.0.81:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
# 配置 credentials
$ DEFAULT_NS_ADMIN_TOKEN=$(kubectl get secrets default-ns-admin-token-46rgc -o jsonpath={.data.token} | base64 -d)
$ kubectl config set-credentials default-ns-admin --token=$DEFAULT_NS_ADMIN_TOKEN --kubeconfig=/root/default-ns-admin.conf
User "default-ns-admin" set.
$ kubectl config view --kubeconfig=/root/default-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.20.0.81:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: default-ns-admin
user:
token: REDACTED
# 配置 context,其中 --user=default-ns-admin 为 service account
$ kubectl config set-context default-ns-admin@kubenetes --cluster=kubernetes --user=default-ns-admin --kubeconfig=/root/default-ns-admin.conf
Context "default-ns-admin@kubenetes" created.
# 使用 context
$ kubectl config use-context default-ns-admin@kubenetes --kubeconfig=/root/default-ns-admin.conf
Switched to context "default-ns-admin@kubenetes".
在 dashboard 中使用 default-ns-admin.conf
登录,由于是 rolebinding 的 clusterrole:admin,因此只有 default 命名空间的权限。
扩展