Kubernetes ---- Dashboard安装、访问(Token、Kubeconfig)

Dashbord

官方地址: https://github.com/kubernetes/dashboard

1. 安装Dashboard

~] kubectl apply -f https:raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
~] kubectl get pods -n kubernetes-dashboard
NAME                         READY STATUS RESTARTS AGE
dashboard-metrics-scraper-76679bc5b9-wvq6q   1/1   Running 0   164m
kubernetes-dashboard-65bb64d6cb-kjn9g      1/1   Running 2   164m
~] kubectl get svc -n kubernetes-dashboard
NAME               TYPE     CLUSTER-IP   EXTERNAL-IP   PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.99.122.6   <none>      8000/TCP 165m
kubernetes-dashboard    ClusterIP 10.98.32.114   <none>     443/TCP 165m
~] kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kubernetes-dashboard
~] kubectl get svc -n kubernetes-dashboard
NAME                 TYPE      CLUSTER-IP   EXTERNAL-IP PORT(S)     AGE
dashboard-metrics-scraper    ClusterIP   10.99.122.6   <none>    8000/TCP   165m
kubernetes-dashboard       NodePort    10.98.32.114   <none>    443:32435/TCP 165m

2.访问Dashboard

集群中任意一台服务器地址+端口号 https://192.168.222.100:32435
image

2.1 登录方式

  • Token认证方式登录
  • Kubeconfig认证方式登录

2.1.1 Token认证方式登录

  1. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
  2. 获取到此ServiceAccount的secret,查看secret的详细信息,其中就有token;
  3. 生成kubeconfig文件;
~] kubectl config set-cluster  --kubeconfig=/PATH/TO/SOMEFILE
~] kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
~] kubectl config set-context
~] kubectl config use-context
~] kubectl create serviceaccount dashboard -n kubernetes-dashboard
~] kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
~] kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin \
--serviceaccount=kubernetes-dashboard:dashboard
~] kubectl describe sa dashboard -n kubernetes-dashboard
Name: dashboard
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-token-vtncb
Tokens: dashboard-token-vtncb
Events: <none>
~] kubectl describe secret dashboard-token-vtncb -n kubernetes-dashboard
# 将查询结果中的"token值"复制到UI上,即可完成登录;

因为我们将创建的serviceaccount绑定在了cluster-admin上面,所有cluster-admin角色拥有的权限,在这里这个Pod(Dashboard)都有;
image
image

2.2 KubeConfig认证方式登录

  1. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
  2. 获取secret的详细信息,
~] kubectl craete serviceaccount def-ns-admin -n default
~] kubectl config set-cluster kubernetes --server="https://192.168.133.128:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=./def-ns-admin.conf
~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
~] kubectl config set-cluster kubernetes --server="https://192.168.133.128:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=./def-ns-admin.conf

2.3 基于serviceaccount的Token与API Server进行认证;

~] kubectl get secret
NAME               TYPE                   DATA AGE
def-ns-admin-token-qhkfj kubernetes.io/service-account-token   3    31m

~] DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-qhkfj -o jsonpath={.data.token} | base64 -d)

~] kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=./def-ns-admin.conf

~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3Vud
C9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xaGtmaiIsIm
t1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW5
0L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyNmNlMWZhNC0yZWUwLTRlZTktYmMzZi1lZDg3MTViOTE4NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVm
YXVsdDpkZWYtbnMtYWRtaW4ifQ.l_BMlpcuoSmTHZktsCJHdieXinpNHgD8SBM765dF4e7dnftCKJkhteWlYudO2fbzrphhd2hHLXob6O6ttV_tTUMkbcfK7ZwtVZ
QUbAm0k00ir9hsifmhAELMNL12TCqa7bnMTkzMw0IKS6fICr_wSyVYFgBgrdX_mn-nk7GN-sDyf1BxXrYZ9iyf6rAJfdRWmv2_C5an0jJwUeQ8xHp-wMJCH_CqmU6
9i8VcUL8Sy6QngtQ5wuSg6OC2ybUsnQJalTDcoJw4MbctxM6eh-QT-Uwyk4-wjz2vVJtv0DvhvQQC-equ99N9g1Nd3Gg7FMOwBZdM6-DMyNoeCcRKwBaLfw

~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3Vud
C9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xaGtmaiIsIm
t1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW5
0L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyNmNlMWZhNC0yZWUwLTRlZTktYmMzZi1lZDg3MTViOTE4NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVm
YXVsdDpkZWYtbnMtYWRtaW4ifQ.l_BMlpcuoSmTHZktsCJHdieXinpNHgD8SBM765dF4e7dnftCKJkhteWlYudO2fbzrphhd2hHLXob6O6ttV_tTUMkbcfK7ZwtVZ
QUbAm0k00ir9hsifmhAELMNL12TCqa7bnMTkzMw0IKS6fICr_wSyVYFgBgrdX_mn-nk7GN-sDyf1BxXrYZ9iyf6rAJfdRWmv2_C5an0jJwUeQ8xHp-wMJCH_CqmU6
9i8VcUL8Sy6QngtQ5wuSg6OC2ybUsnQJalTDcoJw4MbctxM6eh-QT-Uwyk4-wjz2vVJtv0DvhvQQC-equ99N9g1Nd3Gg7FMOwBZdM6-DMyNoeCcRKwBaLfw

~] kubectl config use-context def-ns-admin@kubernetes --kubeconfig=./def-ns-admin.conf

~]  sz ./def-ns-admin.conf

image
image

posted @ 2020-06-28 14:54  k-free  阅读(2653)  评论(0编辑  收藏  举报