Kubernetes dashboard认证访问
一、Dashboard部署
部署的过程
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml secret/kubernetes-dashboard-certs created serviceaccount/kubernetes-dashboard created role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created deployment.apps/kubernetes-dashboard created service/kubernetes-dashboard created [root@csserver12 ~]# kubectl get po -n kube-system|grep kubernetes-dashboard
NAME READY STATUS RESTARTS AGE kubernetes-dashboard-d894c6994-l68db 1/1 Running 0 21d
[root@csserver12 ~]# kubectl get svc -n kube-system|grep kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.101.0.99 <none> 443/TCP 21d
[root@k8s-master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system #以打补丁方式修改dasboard的访问方式或者设置ingress访问 service/kubernetes-dashboard patched [root@k8s-master ~]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard NodePort 10.105.204.4 <none> 443:30015/TCP 31m
浏览器访问:https://172.18.128.119:30015,如图:这里需要注意的是谷歌浏览器会禁止不安全证书访问,建议使用火狐浏览器,并且需要在高级选项中添加信
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http)
1、token认证
(1)创建dashboard专用证书
[root@csserver12 ~]# cd /etc/kubernetes/pki/
[root@csserver12 pki]# (umask 077;openssl genrsa -out dashboard.key 2048) Generating RSA private key, 2048 bit long modulus .....................................................................................................+++ ..........................+++ e is 65537 (0x10001)
(2)证书签署请求
[root@csserver12 pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=wicrenet/CN=dashboard" [root@csserver12 pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 36500 Signature ok subject=/O=wicrenet/CN=dashboard Getting CA Private Key
(3)定义令牌方式仅能访问default名称空间
[root@csserver12 pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=./dashboard.crt --from-file=dashboard.key=./dashboard.key #secret创建 secret/dashboard-cert created [root@csserver12 pki]# kubectl get secret -n kube-system |grep dashboard dashboard-cert Opaque 2 1m kubernetes-dashboard-certs Opaque 0 3h kubernetes-dashboard-key-holder Opaque 2 3h kubernetes-dashboard-token-jpbgw kubernetes.io/service-account-token 3 3h [root@csserver12 pki]# kubectl create serviceaccount def-ns-admin -n default #创建serviceaccount serviceaccount/def-ns-admin created [root@csserver12 pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin #service account账户绑定到集群角色admin rolebinding.rbac.authorization.k8s.io/def-ns-admin created [root@csserver12 pki]# kubectl describe secret def-ns-admin-token-k9fz9 #查看def-ns-admin这个serviceaccount的token Name: def-ns-admin-token-k9fz9 Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name=def-ns-admin kubernetes.io/service-account.uid=56ed901c-d042-11e8-801a-000c2972dc1f Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1rOWZ6OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1NmVkOTAxYy1kMDQyLTExZTgtODAxYS0wMDBjMjk3MmRjMWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.QfB5RR19nBv4-kFYyzW5-2n5Ksg-kON8lU18-COLBNfObQTDHs926m4k9f_5bto4YGncYi7sV_3oEec8ouW1FRjJWfY677L1IqIlwcuqc-g0DUo21zkjY_s3Lv3JSb_AfXUbZ7VTeWOhvwonqfK8uriGO1-XET-RBk1CE4Go1sL7X5qDgPjNO1g85D9IbIZG64VygplT6yZNc-b7tLNn_O49STthy6J0jdNk8lYxjy6UJohoTicy2XkZMHp8bNPBj9RqGqMSnnJxny5WO3vHxYAodKx7h6w-PtuON84lICnhiJ06RzsWjZfdeaQYg4gCZmd2J6Hdq0_K32n3l3kFLg
将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:
2、kubeconfig认证
(1)配置k8s-dashboard-admin的集群信息
[root@k8s-master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://172.18.128.119:6443" --embed-certs=true --kubeconfig=/root/k8s-dashboard-admin.conf Cluster "kubernetes" set.
(2)使用token写入集群验证
[root@k8s-master ~]# kubectl config set-credentials -h #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken Usage: kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name] [--auth-provider-arg=key=value] [options] [root@csserver12 pki]# kubectl describe secret dashboard-admin-token-bgjrh -n kube-system Name: dashboard-admin-token-bgjrh Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: a4eed7a5-c729-11e9-90fc-000c291e9d7e Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tYmdqcmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTRlZWQ3YTUtYzcyOS0xMWU5LTkwZmMtMDAwYzI5MWU5ZDdlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.oH3kBBCrwh70HYKFZ-KA25fBrysyBnqNbxAuZsVJayjXaWyrEM9Ce_Ypsa8EnV38H8S2yxXNM10ratGKgLAt_G0NRAkTOnxakPy-CqrF_Z01ZcDmNG6wdifMS3q_5-ORqI9-0v3NZBBHckdm0x3MBx7BHPuoAZzyf4Gu--BtX4g3sgc-o7LW9uMEZlPO3WIt01w__85oPnkP10-com0MiJgy0qluKDsQKn2-EsylPLO9ymre6-eNeAJMc9x9FEGz8rVtUf_jK3A_eV2vkhwhqKPjRumubnNXp8sGXWz8BS6DNTX3FCeTlXbukU5Pd0nmv7SGc87K51bWjxXbaVbJZQ 这里的token是base64编码,此处需要进行解码操作 [root@csserver12 pki]# kubectl get secret dashboard-admin-token-bgjrh -o jsonpath={.data.token} -n kube-system|base64 -d eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tYmdqcmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTRlZWQ3YTUtYzcyOS0xMWU5LTkwZmMtMDAwYzI5MWU5ZDdlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.oH3kBBCrwh70HYKFZ-KA25fBrysyBnqNbxAuZsVJayjXaWyrEM9Ce_Ypsa8EnV38H8S2yxXNM10ratGKgLAt_G0NRAkTOnxakPy-CqrF_Z01ZcDmNG6wdifMS3q_5-ORqI9-0v3NZBBHckdm0x3MBx7BHPuoAZzyf4Gu--BtX4g3sgc-o7LW9uMEZlPO3WIt01w__85oPnkP10-com0MiJgy0qluKDsQKn2-EsylPLO9ymre6-eNeAJMc9x9FEGz8rVtUf_jK3A_eV2vkhwhqKPjRumubnNXp8sGXWz8BS6DNTX3FCeTlXbukU5Pd0nmv7SGc87K51bWjxXbaVbJZQ 配置token信息 [root@csserver12 pki]# kubectl config set-credentials k8s-dashboard-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tYmdqcmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTRlZWQ3YTUtYzcyOS0xMWU5LTkwZmMtMDAwYzI5MWU5ZDdlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.oH3kBBCrwh70HYKFZ-KA25fBrysyBnqNbxAuZsVJayjXaWyrEM9Ce_Ypsa8EnV38H8S2yxXNM10ratGKgLAt_G0NRAkTOnxakPy-CqrF_Z01ZcDmNG6wdifMS3q_5-ORqI9-0v3NZBBHckdm0x3MBx7BHPuoAZzyf4Gu--BtX4g3sgc-o7LW9uMEZlPO3WIt01w__85oPnkP10-com0MiJgy0qluKDsQKn2-EsylPLO9ymre6-eNeAJMc9x9FEGz8rVtUf_jK3A_eV2vkhwhqKPjRumubnNXp8sGXWz8BS6DNTX3FCeTlXbukU5Pd0nmv7SGc87K51bWjxXbaVbJZQ --kubeconfig=/root/k8s-dashboard-admin.conf User "k8s-dashboard-admin" set.
(3)配置上下文和当前上下文
[root@csserver12 pki]# kubectl config set-context k8s-dashboard-admin@kubernetes --cluster=kubernetes --user=k8s-dashboard-admin --kubeconfig=/root/k8s-dashboard-admin.conf Context "k8s-dashboard-admin@kubernetes" created. [root@csserver12 pki]# kubectl config use-context k8s-dashboard-admin@kubernetes --kubeconfig=/root/k8s-dashboard-admin.conf Switched to context "k8s-dashboard-admin@kubernetes". [root@csserver12 pki]# kubectl config view --kubeconfig=/root/k8s-dashboard-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://172.18.128.119:6443 name: kubernetes contexts: - context: cluster: kubernetes user: k8s-dashboard-admin name: k8s-dashboard-admin@kubernetes current-context: k8s-dashboard-admin@kubernetes kind: Config preferences: {} users: - name: k8s-dashboard-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tYmdqcmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTRlZWQ3YTUtYzcyOS0xMWU5LTkwZmMtMDAwYzI5MWU5ZDdlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.oH3kBBCrwh70HYKFZ-KA25fBrysyBnqNbxAuZsVJayjXaWyrEM9Ce_Ypsa8EnV38H8S2yxXNM10ratGKgLAt_G0NRAkTOnxakPy-CqrF_Z01ZcDmNG6wdifMS3q_5-ORqI9-0v3NZBBHckdm0x3MBx7BHPuoAZzyf4Gu--BtX4g3sgc-o7LW9uMEZlPO3WIt01w__85oPnkP10-com0MiJgy0qluKDsQKn2-EsylPLO9ymre6-eNeAJMc9x9FEGz8rVtUf_jK3A_eV2vkhwhqKPjRumubnNXp8sGXWz8BS6DNTX3FCeTlXbukU5Pd0nmv7SGc87K51bWjxXbaVbJZQ
将/root/k8s-dashboard-admin.conf文件发送到宿主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问,如图:
3、设置ingress访问
[root@csserver12 plugin]# cat kubernetes-dashboard-ingress.yaml kind: Ingress apiVersion: extensions/v1beta1 metadata: name: dashboard namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: tls: - hosts: - dashboard-dev.wicrenet.com secretName: kube-system-ingress-secret rules: - host: dashboard-dev.wicrenet.com http: paths: - backend: serviceName: kubernetes-dashboard servicePort: 443 path: /
[root@csserver12 plugin]# kubectl apply -f kubernetes-dashboard-ingress.yaml
二、总结
1、部署dashboard:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
2、将Service改为Node Port方式或者Ingress方式进行访问:
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
3、访问认证:
认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
token:
- (1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
- (2)获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
- (3)复制token到认证页面即可登录。
kubeconfig:把ServiceAccount的token封装为kubeconfig文件
- (1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
- (2)kubectl get secret |awk '/^ServiceAccount/{print $1}'
- KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
- (3)生成kubeconfig文件
kubectl config set-cluster kubectl config set-credentials NAME --token=$KUBE_TOKEN kubectl config set-context kubectl config use-context
三、附kubenetes-dashboard.yaml文件
[root@csserver12 plugin]# cat kubernetes-dashboard.yaml # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Configuration to deploy release version of the Dashboard UI compatible with # Kubernetes 1.8. # # Example usage: kubectl create -f <this_file> --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-certs namespace: kube-system type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-key-holder namespace: kube-system type: Opaque --- # ------------------- Dashboard Service Account ------------------- # apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-admin namespace: kube-system --- # ------------------- Dashboard Role & Role Binding ------------------- # apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-admin namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-watcher rules: - apiGroups: - '*' resources: - '*' verbs: - 'get' - 'list' - nonResourceURLs: - '*' verbs: - 'get' - 'list' - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] --- # ------------------- Dashboard Deployment ------------------- # apiVersion: apps/v1 kind: Deployment metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard annotations: scheduler.alpha.kubernetes.io/critical-pod: '' seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: priorityClassName: system-cluster-critical containers: - name: kubernetes-dashboard image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 resources: limits: cpu: 100m memory: 300Mi requests: cpu: 50m memory: 100Mi ports: - containerPort: 8443 protocol: TCP args: - --auto-generate-certificates volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs - name: tmp-volume mountPath: /tmp livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard-admin tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- # ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard --- kind: Ingress apiVersion: extensions/v1beta1 metadata: name: dashboard namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: tls: - hosts: - dashboard-dev.wicrenet.com secretName: kube-system-ingress-secret rules: - host: dashboard-dev.wicrenet.com http: paths: - backend: serviceName: kubernetes-dashboard servicePort: 443 path: /