Kubernetes ---- Dashboard安装、访问(Token、Kubeconfig)
Dashbord
官方地址: https://github.com/kubernetes/dashboard
1. 安装Dashboard
~] kubectl apply -f https:raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
~] kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-76679bc5b9-wvq6q 1/1 Running 0 164m
kubernetes-dashboard-65bb64d6cb-kjn9g 1/1 Running 2 164m
~] kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.99.122.6 <none> 8000/TCP 165m
kubernetes-dashboard ClusterIP 10.98.32.114 <none> 443/TCP 165m
~] kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kubernetes-dashboard
~] kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.99.122.6 <none> 8000/TCP 165m
kubernetes-dashboard NodePort 10.98.32.114 <none> 443:32435/TCP 165m
2.访问Dashboard
集群中任意一台服务器地址+端口号 https://192.168.222.100:32435
2.1 登录方式
- Token认证方式登录
- Kubeconfig认证方式登录
2.1.1 Token认证方式登录
- 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
- 获取到此ServiceAccount的secret,查看secret的详细信息,其中就有token;
- 生成kubeconfig文件;
~] kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
~] kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
~] kubectl config set-context
~] kubectl config use-context
~] kubectl create serviceaccount dashboard -n kubernetes-dashboard
~] kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
~] kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin \
--serviceaccount=kubernetes-dashboard:dashboard
~] kubectl describe sa dashboard -n kubernetes-dashboard
Name: dashboard
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-token-vtncb
Tokens: dashboard-token-vtncb
Events: <none>
~] kubectl describe secret dashboard-token-vtncb -n kubernetes-dashboard
# 将查询结果中的"token值"复制到UI上,即可完成登录;
因为我们将创建的serviceaccount绑定在了cluster-admin上面,所有cluster-admin角色拥有的权限,在这里这个Pod(Dashboard)都有;
2.2 KubeConfig认证方式登录
- 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
- 获取secret的详细信息,
~] kubectl craete serviceaccount def-ns-admin -n default
~] kubectl config set-cluster kubernetes --server="https://192.168.133.128:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=./def-ns-admin.conf
~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
~] kubectl config set-cluster kubernetes --server="https://192.168.133.128:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=./def-ns-admin.conf
2.3 基于serviceaccount的Token与API Server进行认证;
~] kubectl get secret
NAME TYPE DATA AGE
def-ns-admin-token-qhkfj kubernetes.io/service-account-token 3 31m
~] DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-qhkfj -o jsonpath={.data.token} | base64 -d)
~] kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=./def-ns-admin.conf
~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3Vud
C9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xaGtmaiIsIm
t1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW5
0L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyNmNlMWZhNC0yZWUwLTRlZTktYmMzZi1lZDg3MTViOTE4NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVm
YXVsdDpkZWYtbnMtYWRtaW4ifQ.l_BMlpcuoSmTHZktsCJHdieXinpNHgD8SBM765dF4e7dnftCKJkhteWlYudO2fbzrphhd2hHLXob6O6ttV_tTUMkbcfK7ZwtVZ
QUbAm0k00ir9hsifmhAELMNL12TCqa7bnMTkzMw0IKS6fICr_wSyVYFgBgrdX_mn-nk7GN-sDyf1BxXrYZ9iyf6rAJfdRWmv2_C5an0jJwUeQ8xHp-wMJCH_CqmU6
9i8VcUL8Sy6QngtQ5wuSg6OC2ybUsnQJalTDcoJw4MbctxM6eh-QT-Uwyk4-wjz2vVJtv0DvhvQQC-equ99N9g1Nd3Gg7FMOwBZdM6-DMyNoeCcRKwBaLfw
~] kubectl config view --kubeconfig=./def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.133.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3Vud
C9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xaGtmaiIsIm
t1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW5
0L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyNmNlMWZhNC0yZWUwLTRlZTktYmMzZi1lZDg3MTViOTE4NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVm
YXVsdDpkZWYtbnMtYWRtaW4ifQ.l_BMlpcuoSmTHZktsCJHdieXinpNHgD8SBM765dF4e7dnftCKJkhteWlYudO2fbzrphhd2hHLXob6O6ttV_tTUMkbcfK7ZwtVZ
QUbAm0k00ir9hsifmhAELMNL12TCqa7bnMTkzMw0IKS6fICr_wSyVYFgBgrdX_mn-nk7GN-sDyf1BxXrYZ9iyf6rAJfdRWmv2_C5an0jJwUeQ8xHp-wMJCH_CqmU6
9i8VcUL8Sy6QngtQ5wuSg6OC2ybUsnQJalTDcoJw4MbctxM6eh-QT-Uwyk4-wjz2vVJtv0DvhvQQC-equ99N9g1Nd3Gg7FMOwBZdM6-DMyNoeCcRKwBaLfw
~] kubectl config use-context def-ns-admin@kubernetes --kubeconfig=./def-ns-admin.conf
~] sz ./def-ns-admin.conf