1 环境介绍
| 软件 | 版本 | 备注 |
|---|---|---|
| Centos | 7.6 | 操作系统 |
| Docker | 20.10.6 | 容器软件 |
| kubernetes | 1.23.3 | 集群软件 |
| flannel | 0.16.3 | 集群网络插件 |
| dashboard | v2.5.1 | WEB-UI |
2 下载镜像和yaml文件
下载对应版本的dashboard,这里选择2.5.1最新版本,可以看到下图,完全支持kubernetes 1.23版本。
镜像可通过阿里云镜像仓库构建下载。
recommended.yaml文件通过上图链接https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yaml获取。
1 | kubectl apply -f recommended.yaml # 安装dashboard |
3 HTTPS访问
dashboard默认提供https访问接口,但需要配置services,映射到主机端口才能访问。
修改recommended.yaml文件,如下:
1 | kind: Service |
1 | # 应用修改 |
访问页面:
3.1 认证登录
dashboard默认提供token和kubeconfig认证登录方式。
3.1.1 Token认证
创建serviceaccount账户
1
2
3
4# 在kubernetes-dashboard命名空间创建账户test-zhanghu
# 在任何命名空间创建都可以,这里为了方便管理,和dashboard服务放到一个命名空间
kubectl create serviceaccount test-zhanghu -n kubernetes-dashboard
# 可通过kubectl get serviceaccount命令查找
把test-zhanghu用户做clusterrolebinding绑定
此处注意clusterrolebinding和rolebinding的区别,clusterrolebinding是集群权限,rolebinding是空间权限;
- 管理所有空间使用clusterrolebinding赋权
- 管理指定空间使用rolebinding赋权
1
2
3
4# 赋予集群管理权限,管理所有空间
kubectl create clusterrolebinding test-zhanghu-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:test-zhanghu
# 赋予空间管理权限,管理指定空间,-n参数指定要管理的空间(不指定 -n 默认管理default空间)
kubectl create rolebinding test-zhanghu-role -n kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:test-zhanghutest-zhanghu-admin:创建的clusterrolebinding或rolebinding名称cluster-admin:绑定的角色,cluseter-admin是集群管理员角色kubernetes-dashboard:test-zhanghu:kubernetes-dashboard是账户所在的空间名,test-zhanghu是上面创建的账户名。
查看创建结果
1
2
3
4
5
6# 查看创建的绑定,通过下列命令查询
# clusterrolebindings 不需要指定空间,列出所有
kubectl get clusterrolebindings
或
# rolebindings 列出指定空间结果,-A 列出所有空间。
kubectl get rolebindings -n kubernetes-dashboard
查看secret
1
2
3
4
5
6
7
8[root@master ~]# kubectl get secrets -n kubernetes-dashboard
NAME TYPE DATA AGE
default-token-8gkd4 kubernetes.io/service-account-token 3 57m
kubernetes-dashboard-certs Opaque 0 57m
kubernetes-dashboard-csrf Opaque 1 57m
kubernetes-dashboard-key-holder Opaque 2 57m
kubernetes-dashboard-token-ss67l kubernetes.io/service-account-token 3 57m
test-zhanghu-token-kbtpj kubernetes.io/service-account-token 3 22m获取token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@master ~]# kubectl describe secrets -n kubernetes-dashboard test-zhanghu-token-kbtpj
Name: test-zhanghu-token-kbtpj
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: test-zhanghu
kubernetes.io/service-account.uid: e3eb1368-e074-4c52-81f2-64129b00c6a9
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImRoMjcwRGlTcTdyZzhyR2FxOXFKSlhTbkIxdFlHZVEwdXJlam9ESG5zd00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ0ZXN0LXpoYW5naHUtdG9rZW4ta2J0cGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC16aGFuZ2h1Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTNlYjEzNjgtZTA3NC00YzUyLTgxZjItNjQxMjliMDBjNmE5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOnRlc3QtemhhbmdodSJ9.CB6KbpgJU2PMtb4lGVZ8nVBPmOfebwhlgcn43jiSUV44kkm48qAVJaQELUg9_aVDcQSZCBuIDTzlWjwpqmsgAbCePr_sS0smd5BFxiHsKRnsRpXbKrU-pGNqaegsafIlipsUOSXj2st4n0WPODUAObMI4XdmEsKubpVBMWPSpIb6-UryJZzNFO84ZHQiO7ESa35cATm0uWRS4zT3PzkNrV8lczysSo82-98u-yhfRzVuL8Wau3oWVG1LQpjB-ww65x1jZ_ipPaMZqj2_LfNDKj5bvWoVX9hjeqBkmUrIyWB0rcwk7ERt1_mKoR_fHSB_80Akimc7tXXkerTXfSZO1g复制token的值到登录页面,认证登录,如下图,可以管理所有空间。
3.1.2 kubeconfig认证
kubeconfig的原理就是将认证的token转换成kubeconfig文件,方便登录。用户的token是什么权限,转换成的kubeconfig就是什么权限。
下面的kubeconfig文件生成步骤基于上面Token认证配置的账户进行转换。
获取test-zhanghu的token
1
2# 设置DEF_NS_ADMIN_TOKEN变量,获取token
[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get test-zhanghu-token-kbtpj -n kubernetes-dashboard -o jsonpath={.data.token}|base64 -d)创建cluster
1
2
3
4
5
6# 进入/etc/kubernetes/pki目录,下面步骤相关路径基于此路径下的证书文件
[root@master pki]# cd /etc/kubernetes/pki
# 创建集群kubernetes,证书基于当前目录下的ca.crt
# --server参数是集群的apiserver地址
# --kuconfig参数指定生成文件的路径
[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://192.168.0.71:6443" --embed-certs=true --kubeconfig=/root/test-zhanghu.conf创建credentials
1
2# test-zhanghu是用户名,后面的步骤要保持一致
[root@master pki]# kubectl config set-credentials test-zhanghu --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/test-zhanghu.conf创建context
1
[root@master pki]# kubectl config set-context test-zhanghu@kubernetes --cluster=kubernetes --user=test-zhanghu --kubeconfig=/root/test-zhanghu.conf
切换context的current-context是test-zhanghu@kubernetes
1
[root@master pki]# kubectl config use-context test-zhanghu@kubernetes --kubeconfig=/root/test-zhanghu.conf
把刚才的kubeconfig文件
test-zhanghu.conf复制到桌面浏览器访问时使用kubeconfig认证,把刚才的
test-zhanghu.conf导入到web界面,那么就可以登陆了。
4 HTTP免密登录
dashboard的http登录默认没有启动认证,即访问即可进入控制台页面(免密登录)。
修改
recommended.yaml文件修改Deployment部分,设置kubernetes-dashboard端口和心跳探测
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.5.1
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
# 添加name标签
name: https
# 增加http端口配置,端口指向9090
- containerPort: 9090
protocol: TCP
name: http
args:
# 注释掉- --auto-generate-certificates
# - --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
# 添加http的探针检测
httpGet:
scheme: HTTP
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule修改Service部分,配置http端口的NodePort,映射到主机30002端口。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
# 添加NodePort类型
type: NodePort
ports:
- port: 443
targetPort: 8443
# 添加映射主机端口
nodePort: 30001
name: https
# 添加http端口,targe指向9090
- port: 80
targetPort: 9090
nodePort: 30002
name: http
selector:
k8s-app: kubernetes-dashboard修改ClusterRoleBinding部分,设置kubernetes-dashboard用户的权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
# name: kubernetes-dashboard
# 修改角色为cluster-admin
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard应用修改
1
2
3
4
5
6# 修改用户权限不能直接应用更新,会提示角色权限无法修改,应先delete,再apply;
# 也可以使用命令kubectl delete clusterrolebindings.rbac.authorization.k8s.io kubernetes-dashboard删除权限绑定后再apply应用更新
kubectl delete -f recommended.yaml
# 应用更新
kubectl apply -f recommended.yaml访问30002端口,正常免费登录。
信息
经验证HTTP和HTTPS无法共存,开启HTTP后,30001端口则无法访问了。错误
访问3002端口,发现报错,kubernetes-dashboard用户没有权限,是因为少修改了kuberntes-dashboard的权限造成的。deployments.apps is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default"
5 用户密码登录
用户密码登录是https访问方式的一种认证类型。
基于网上教程,未成功。
主要现象如下:
配置用户密码文件及开启basic认证后,输入任何字符均可登录,登录后报错
配置如下命令后,权限正常了,但是注销登录重新认证登录,不管是账号密码文件内的还是其他任意字符,均无法登录。
1
[root@master manifests]# kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous
