kubernetes学习14—Dashboard搭建和认证
一、介绍
kubernetes dashboard是kubernetes集群的基于web的通用ui。它允许用户管理在群集中运行的应用程序并对其进行故障排除,以及管理群集本身。
二、搭建dashboard
1、编写yaml文件
借鉴github,修改了image的下载地址和pod的一些配置
[root@master ~]# vim dashboard.yaml
# filename: dashboard.yaml # revision: 1.0 # date: 2018/10/18 # author: along # description: build kubernetes dashboard # ------------------- dashboard secret ------------------- # apiversion: v1 kind: secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kube-system type: opaque --- # ------------------- dashboard service account ------------------- # apiversion: v1 kind: serviceaccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system --- # ------------------- dashboard role & role binding ------------------- # kind: role apiversion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard-minimal namespace: kube-system rules: # allow dashboard to create 'kubernetes-dashboard-key-holder' secret. - apigroups: [""] resources: ["secrets"] verbs: ["create"] # allow dashboard to create 'kubernetes-dashboard-settings' config map. - apigroups: [""] resources: ["configmaps"] verbs: ["create"] # allow dashboard to get, update and delete dashboard exclusive secrets. - apigroups: [""] resources: ["secrets"] resourcenames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # allow dashboard to get and update 'kubernetes-dashboard-settings' config map. - apigroups: [""] resources: ["configmaps"] resourcenames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # allow dashboard to get metrics from heapster. - apigroups: [""] resources: ["services"] resourcenames: ["heapster"] verbs: ["proxy"] - apigroups: [""] resources: ["services/proxy"] resourcenames: ["heapster", "http:heapster:", "https:heapster:"] verbs: ["get"] --- apiversion: rbac.authorization.k8s.io/v1 kind: rolebinding metadata: name: kubernetes-dashboard-minimal namespace: kube-system roleref: apigroup: rbac.authorization.k8s.io kind: role name: kubernetes-dashboard-minimal subjects: - kind: serviceaccount name: kubernetes-dashboard namespace: kube-system --- # ------------------- dashboard deployment ------------------- # kind: deployment apiversion: apps/v1beta2 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: replicas: 1 revisionhistorylimit: 10 selector: matchlabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0 ports: - containerport: 8443 protocol: tcp args: - --auto-generate-certificates # uncomment the following line to manually specify kubernetes api server host # if not specified, dashboard will attempt to auto discover the api server and connect # to it. uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumemounts: - name: kubernetes-dashboard-certs mountpath: /certs # create on-disk volume to store exec logs - mountpath: /tmp name: tmp-volume livenessprobe: httpget: scheme: https path: / port: 8443 initialdelayseconds: 30 timeoutseconds: 30 volumes: - name: kubernetes-dashboard-certs secret: secretname: kubernetes-dashboard-certs - name: tmp-volume emptydir: {} serviceaccountname: kubernetes-dashboard # comment the following tolerations if dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: noschedule --- # ------------------- dashboard service ------------------- # kind: service apiversion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: type: nodeport ports: - port: 443 targetport: 8443 nodeport: 30000 selector: k8s-app: kubernetes-dashboard
2、apply yaml文件,搭建dashboard
[root@master ~]# kubectl apply -f dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
3、查看验证
(1)pod已经创建成功
[root@master ~]# kubectl get pods -n kube-system |grep dashboard
kubernetes-dashboard-68bf55748d-4zzph 1/1 running 0 2m
(2)service也已经创建成功,并且有映射端口,此时已经可以登录了,但是无法登录,因为没有认证
[root@master ~]# kubectl get svc -n kube-system
name type cluster-ip external-ip port(s) age
kubernetes-dashboard nodeport 10.97.55.246 <none> 443:30000/tcp 2m
三、dashboard与kubernetes集群的认证,方案一:令牌认证
(1)有两种认证方法:
口令
kubeconfig
(2)并且在认证的时候,还可以管理限制dashboard用户的权限;为了让大家进一步理解:
在方案一:口令认证时,dashboard用户的权限设为对所有名称空间都有admin的权限;
在方案二:kubeconfig认证时,dashboard用户的权限设为只对default名称空间有admin权限;
1、授权,对所有名称空间都有admin的权限
(1)创建serviceaccount
[root@master ~]# kubectl create serviceaccount dashboard-serviceaccount -n kube-system
serviceaccount/dashboard-serviceaccount created
(2)创建clusterrolebinding
使用clusterrolebinding绑定cluster-admin的clusterrole和dashboard-serviceaccount的serviceaccount,这样dashboard-serviceaccount的serviceaccount就在所有名称空间有了kubernetes的admin权限
[root@master ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-serviceaccount
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
2、获取令牌
(1)在secret中查找dashboard-serviceaccount
[root@master ~]# kubectl get secret -n kube-system |grep dashboard-serviceaccount-token
dashboard-serviceaccount-token-nz7xd kubernetes.io/service-account-token 3 4m
(2)查看dashboard-serviceaccount中的口令
[root@master ~]# kubectl describe secret dashboard-serviceaccount-token-nz7xd -n kube-system
name: dashboard-serviceaccount-token-nz7xd namespace: kube-system labels: <none> annotations: kubernetes.io/service-account.name=dashboard-serviceaccount kubernetes.io/service-account.uid=2af6061f-d1f0-11e8-8059-005056277243 type: kubernetes.io/service-account-token data ==== ca.crt: 1025 bytes namespace: 11 bytes token: eyjhbgcioijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy2uioijrdwjllxn5c3rlbsisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vjcmv0lm5hbwuioijkyxnoym9hcmqtc2vydmljzwfjy291bnqtdg9rzw4tbno3egqilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgfzagjvyxjklxnlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9zzxj2awnllwfjy291bnqudwlkijoimmfmnja2mwytzdfmmc0xmwu4ltgwntktmda1mdu2mjc3mjqziiwic3viijoic3lzdgvtonnlcnzpy2vhy2nvdw50omt1ymutc3lzdgvtomrhc2hib2fyzc1zzxj2awnlywnjb3vudcj9.bajvarqum57s_kepqogcs1iimnemdilhu4tiiwqkxaz0o5tkyxbz5yqn3zs5tjnqblvds6lurrxdvh-mekqnupg08ohydg1u9xe3oygr7yf5ad7ybw4czpppn6iijz5qqj8laofprb8qyvbr0r4monin08lhzrklbkrlwhavj_6zxxb9vajlu9astya4ymdazzi06zkyeeo8rhqr2-yeu4ya7milyvrv_ioqdlkqgef6iluripjejhohiebgdslrxtnxgwkt2uwsv3qrfkf2cissbsw7p-9muucrzsb2xqvop7wbauyroduuqqfmson2uc0643e_iew5dbaaagqxbw
3、网页通过令牌登录
(1)使用https协议打开https://192.168.130.103:30000(任意节点的ip都可以)
输入dashboard-serviceaccount的口令
(2)打开成功,并且对所有名称空间都有admin权限
四、dashboard与kubernetes集群的认证,方案二:configing认证
1、授权,只对default名称空间有admin的权限
(1)创建serviceaccount
[root@master ~]# kubectl create serviceaccount def-ns-dashboard-sa -n default
serviceaccount/def-ns-dashboard-sa created
(2)创建rolebinding
使用rolebinding绑定cluster-admin的clusterrole和def-ns-dashboard的serviceaccount,这样def-ns-dashboard的serviceaccount就只有default这一个名称空间的admin权限
[root@master ~]# kubectl create rolebinding def-ns-dashboard-rb --clusterrole=cluster-admin --serviceaccount=default:def-ns-dashboard-sa
rolebinding.rbac.authorization.k8s.io/def-ns-dashboard-rb created
2、获取令牌
(1)在secret中查找def-ns-dashboard-sa
[root@master ~]# kubectl get secret
name type data age
def-ns-dashboard-sa-token-b8plm kubernetes.io/service-account-token 3 1m
(2)查看def-ns-dashboard-sa中的口令
[root@master ~]# kubectl describe secret def-ns-dashboard-sa-token-b8plm
name: def-ns-dashboard-sa-token-b8plm namespace: default labels: <none> annotations: kubernetes.io/service-account.name=def-ns-dashboard-sa kubernetes.io/service-account.uid=8b040303-d287-11e8-be88-005056277243 type: kubernetes.io/service-account-token data ==== ca.crt: 1025 bytes namespace: 7 bytes token: eyjhbgcioijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy2uioijkzwzhdwx0iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9zzwnyzxqubmftzsi6imrlzi1ucy1kyxnoym9hcmqtc2etdg9rzw4tyjhwbg0ilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgvmlw5zlwrhc2hib2fyzc1zysisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lnvpzci6ijhimdqwmzazlwqyodctmtfloc1iztg4ltawnta1nji3nzi0myisinn1yii6inn5c3rlbtpzzxj2awnlywnjb3vuddpkzwzhdwx0omrlzi1ucy1kyxnoym9hcmqtc2eifq.vqagyqn8_f4mjawwtz5tzvfioka50u4mul_4ypbxwrr-xu8tcim8ex1ocgm9vajuw_m5qzangs7vw3rvypcqkmqayke8vn-l9wtc5cztnxphmghtx8sttkpwnqht7c7v8cvrnferawygwmp1b8chx5pak2l9t095uzy_w59qfqdoakeacxih5k6kz9sx8vwexvr9nrh8bfqvtr3yxcdyo2e2qsqxopnddlyreoyxriulamnyimgcbfknlv0qkt5sdfslsjdab2oplwd8pst88m73r6kg2c_ammyz7mtcuend1bwconlsto4v2xpxctha6elvb5afh9irpcj4e5vgpw
3、定义一个kubeconfig认证文件
(1)在一个新的kubeconfig文件下,创建一个集群dashboard
[root@master ~]# kubectl config set-cluster dashboard --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://192.168.130.103:6443" --embed-certs=true --kubeconfig=/root/def-ns-dashboard.conf
cluster "dashboard" set.
/root/def-ns-dashboard.conf 文件已经生成
[root@master ~]# ll /root/def-ns-dashboard.conf
-rw------- 1 root root 1568 oct 18 13:36 /root/def-ns-dashboard.conf
(2)使用def-ns-dashboard-sa的serviceaccount,创建一个用户def-ns-dashboard-user
[root@master ~]# kubectl config set-credentials def-ns-dashboard-user --kubeconfig=/root/def-ns-dashboard.conf --token=eyjhbgcioijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy2uioijkzwzhdwx0iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9zzwnyzxqubmftzsi6imrlzi1ucy1kyxnoym9hcmqtc2etdg9rzw4tyjhwbg0ilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgvmlw5zlwrhc2hib2fyzc1zysisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lnvpzci6ijhimdqwmzazlwqyodctmtfloc1iztg4ltawnta1nji3nzi0myisinn1yii6inn5c3rlbtpzzxj2awnlywnjb3vuddpkzwzhdwx0omrlzi1ucy1kyxnoym9hcmqtc2eifq.vqagyqn8_f4mjawwtz5tzvfioka50u4mul_4ypbxwrr-xu8tcim8ex1ocgm9vajuw_m5qzangs7vw3rvypcqkmqayke8vn-l9wtc5cztnxphmghtx8sttkpwnqht7c7v8cvrnferawygwmp1b8chx5pak2l9t095uzy_w59qfqdoakeacxih5k6kz9sx8vwexvr9nrh8bfqvtr3yxcdyo2e2qsqxopnddlyreoyxriulamnyimgcbfknlv0qkt5sdfslsjdab2oplwd8pst88m73r6kg2c_ammyz7mtcuend1bwconlsto4v2xpxctha6elvb5afh9irpcj4e5vgpw
user "def-ns-dashboard-user" set.
(3)在这个kubeconfig文件下,创建一个上下文关系def-ns-dashboard-user@dashboard
[root@master ~]# kubectl config set-context def-ns-dashboard-user@dashboard --cluster=dashboard --user=def-ns-dashboard-user --kubeconfig=/root/def-ns-dashboard.conf
context "def-ns-dashboard-user@dashboard" created.
(4)在这个kubeconfig文件下,使用def-ns-dashboard-user@dashboard这个上下文关系
[root@master ~]# kubectl config use-context def-ns-dashboard-user@dashboard --kubeconfig=/root/def-ns-dashboard.conf
switched to context "def-ns-dashboard-user@dashboard".
(5)通过view查看验证
[root@master ~]# kubectl config view --kubeconfig=/root/def-ns-dashboard.conf
apiversion: v1
clusters:
- cluster:
certificate-authority-data: redacted
server: https://192.168.130.103:6443
name: dashboard
contexts:
- context:
cluster: dashboard
user: def-ns-dashboard-user
name: def-ns-dashboard-user@dashboard
current-context: def-ns-dashboard-user@dashboard
kind: config
preferences: {}
users:
- name: def-ns-dashboard-user
user:
token: eyjhbgcioijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy2uioijkzwzhdwx0iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9zzwnyzxqubmftzsi6imrlzi1ucy1kyxnoym9hcmqtc2etdg9rzw4tyjhwbg0ilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgvmlw5zlwrhc2hib2fyzc1zysisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lnvpzci6ijhimdqwmzazlwqyodctmtfloc1iztg4ltawnta1nji3nzi0myisinn1yii6inn5c3rlbtpzzxj2awnlywnjb3vuddpkzwzhdwx0omrlzi1ucy1kyxnoym9hcmqtc2eifq.vqagyqn8_f4mjawwtz5tzvfioka50u4mul_4ypbxwrr-xu8tcim8ex1ocgm9vajuw_m5qzangs7vw3rvypcqkmqayke8vn-l9wtc5cztnxphmghtx8sttkpwnqht7c7v8cvrnferawygwmp1b8chx5pak2l9t095uzy_w59qfqdoakeacxih5k6kz9sx8vwexvr9nrh8bfqvtr3yxcdyo2e2qsqxopnddlyreoyxriulamnyimgcbfknlv0qkt5sdfslsjdab2oplwd8pst88m73r6kg2c_ammyz7mtcuend1bwconlsto4v2xpxctha6elvb5afh9irpcj4e5vgpw
4、网页通过kubeconfig登录
(1)将/root/def-ns-dashboard.conf 文件上传到windows机器上,把/root/def-ns-dashboard.conf这个kubeconfig文件导入到登录时的页面,就可以成功登录
(2)登录成功,但是只有default这个名称空间的admin权限
至此,我们已经成功搭建了dashboard;并且完成了对k8s集群的认证;
我们可以通过dashboard创建和管理pod、service、存储卷... ... 这里就不再演示了。