1.4 K8s部署之 Dashboard
dashboard作为k8s的addons,自己本身没有认证与授权功能,它采用的是k8s的认证与授权。
参考资料:https://blog.csdn.net/zcc_heu/article/details/79096972
官网文档:https://github.com/kubernetes/dashboard
chrome不安全解决方法:http://blog.sina.com.cn/s/blog_53bf54e00101er7j.html
通过实现创建secret来自定义ssl证书,注意该secret为generic格式,然后挂载到pod
#1、生成私钥
[root@k8smaster pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
................................+++
e is 65537 (0x10001)
#2、针对私钥生成证书签发请求
[root@k8smaster pki]# openssl req -new -key ./dashboard.key -out dashboard.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Organization Name (eg, company) [Default Company Ltd]:LJZSDUT
Organizational Unit Name (eg, section) []:OPER
Common Name (eg, your name or your server's hostname) []:*.ljzsdut.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#或openssl req -new -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=SD/L=JN/O=LJZSDUT/OU=OPER/CN=*.ljzsdut.com"
#3、使用k8s集群的CA对证书签发请求进行签名
[root@k8smaster pki]# openssl x509 -req -in dashboard.csr -out dashboard.crt -days 36500 -CA ./ca.crt -CAkey ca.key -CAcreateserial
Signature ok
subject=/C=CN/ST=SD/L=JN/O=LJZSDUT/OU=OPER/CN=*.ljzsdut.com
Getting CA Private Key
[root@k8smaster pki]# ls dashboard.*
dashboard.crt dashboard.csr dashboard.key
#4、创建一个generic类型的secret,其中的data字段为上面的证书和私钥
[root@k8smaster pki]# kubectl create secret generic kubernetes-dashboard-certs --from-file=./dashboard.crt --from-file=./dashboard.key -n kube-system
secret/kubernetes-dashboard-certs created
#5、下载yaml文件,并注释掉yaml中的name为"kubernetes-dashboard-certs"的secret
[root@k8smaster pki]# cd /root/manifests/dashboard/
[root@k8smaster dashboard]# curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
注释掉kubernetes-dashboard.yaml中的name为"kubernetes-dashboard-certs"的secret,这样就会使用上面我们自己定义的secret。
#6、创建dashboard
[root@k8smaster dashboard]# kubectl apply -f kubernetes-dashboard.yaml
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@k8smaster dashboard]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-9b8fn 1/1 Running 0 39d
coredns-78fcdf6894-xq69l 1/1 Running 0 39d
etcd-k8smaster 1/1 Running 0 39d
kube-apiserver-k8smaster 1/1 Running 0 5h
kube-controller-manager-k8smaster 1/1 Running 8 39d
kube-flannel-ds-amd64-7l22s 1/1 Running 0 39d
kube-flannel-ds-amd64-h2zzs 1/1 Running 0 39d
kube-flannel-ds-amd64-s6whg 1/1 Running 1 39d
kube-proxy-57znc 1/1 Running 0 39d
kube-proxy-pgrc2 1/1 Running 0 39d
kube-proxy-v6jrs 1/1 Running 2 39d
kube-scheduler-k8smaster 1/1 Running 8 39d
kubernetes-dashboard-767dc7d4d-8f6hk 1/1 Running 0 4m
#修改svc的类型为NodePort:
[root@k8smaster dashboard]# kubectl patch svc -n kube-system kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
此时我们可以通过https://NODEIP:svcPORT访问dashboard了
**登录dashboard的时候支持两种方式Kuberconfig和token。**dashboard认证apiserver,是通过sa认证的,而sa的本质就是一个token值。如果使用token认证,可以直接提取sa中的token值即可。如果使用kubeconfig认证,需要将sa中的token值作为kubeconfig中的user标识,即set-credentials创建的user是token类型的。可见登陆dashboard无论是使用token认证还是kubeconfig认证,其本质都是token认证。所以生成token,必不可少。那么怎么产生token呢?其实token会在创建sa时会自动创建,我们只需要创建一个sa即可。但是此sa没有任何权限,需要使用Rolebinding或clusterrolebinding进行授权。
- 使用token登录方式
#1、创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
[root@k8smaster ~]# kubectl create sa dashboard-cluster-admin -n kube-system
serviceaccount/dashboard-cluster-admin created
[root@k8smaster ~]# kubectl create clusterrolebinding dashboard-cluster-admin --serviceaccount=kube-system:dashboard-cluster-admin --clusterrole=cluster-admin -n kube-system
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
#问题:为什么将clusterrole绑定到serviceaccount而不是user?这是因为我们使用浏览器登录时,是dashboard这个Pod会使用serviceaccount代理浏览器去请求apiserver进行认证和权限验证,而不是浏览器(浏览器可以认为是UserAccount)自己去请求apiserver。
#2、获取到此ServiceAccount的secret,查看secret的详细信息,其中就有token;
[root@k8smaster ~]# kubectl describe sa dashboard-cluster-admin -n kube-system
Name: dashboard-cluster-admin
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-cluster-admin-token-k522r
Tokens: dashboard-cluster-admin-token-k522r
Events: <none>
[root@k8smaster ~]# kubectl describe secret dashboard-cluster-admin-token-k522r -n kube-system
Name: dashboard-cluster-admin-token-k522r
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=dashboard-cluster-admin
kubernetes.io/service-account.uid=250e9a31-b035-11e8-8c72-5254001d21da
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtY2x1c3Rlci1hZG1pbi10b2tlbi1rNTIyciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkYXNoYm9hcmQtY2x1c3Rlci1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjI1MGU5YTMxLWIwMzUtMTFlOC04YzcyLTUyNTQwMDFkMjFkYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpkYXNoYm9hcmQtY2x1c3Rlci1hZG1pbiJ9.EKEXC1FJFqfwrj2VQc2Q6aolHGlHldZAGzCDgmmR4rqWgfq3WdDY2mktFCPR9Xe_OydBrHDj90VD2BxQ9AuMzGwtnR93jeQyT079KKvM_g0fPxVVqXdf4BpO5KpK113EKu6sy0XhXK4IkE5Rc29RYGehI7rCIBf6AVuymOXRlnWqEL09XjupfdqZBCKtC0T0_ErLdCzDqTVl3mYgALdRHtshbpDQvKykw1nltkBeGsrbMAt3_iFyiKheacK6Qrp3HqWStgG-y-lKI-6mlGfDdZQl-zWJP67vxPy4kVZZ8QCOhSfytjjF7HaW69riDSoxwfshR-N98ethCQAwN3ucsw
#使用上面的token值输入到下面的令牌中,即可登录。
使用kubeconfig登录方式:
把ServiceAccount中的token提取出来封装为kubeconfig文件中的user中,所以前2步同token方式
#1、创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
[root@k8smaster ~]# kubectl create sa default-ns-admin -n kube-system
serviceaccount/default-ns-admin created
[root@k8smaster ~]# kubectl describe sa default-ns-admin -n kube-system
Name: default-ns-admin
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-ns-admin-token-xmntl
Tokens: default-ns-admin-token-xmntl
Events: <none>
[root@k8smaster ~]# kubectl create rolebinding default-ns-admin --serviceaccount=kube-system:default-ns-admin --clusterrole=admin -n kube-system
rolebinding.rbac.authorization.k8s.io/default-ns-admin created
#2、获取在sa中的token值:
#注意:describe secrest得到的token是明文;get secret -o yaml|json得到的token是base64格式的
SERVCIEACCOUNT_SERRET_NAME=$(kubectl describe sa default-ns-admin -n kube-system |grep Tokens|awk '{print $2}')
KUBE_TOKEN=$(kubectl describe secret ${SERVCIEACCOUNT_SERRET_NAME} -n kube-system|grep ^token:|awk '{print $2}')
#KUBE_TOKEN=$(kubectl get secrets -n ${SERVCIEACCOUNT_SERRET_NAME} -o jsonpath={.data.token}|base64 -d
#3、生成kubeconfig文件:将token值写入到配置文件中
[root@k8smaster ~]# kubectl config set-cluster mycluster --server="https://192.168.5.36:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/tmp/default-ns-admin.config
Cluster "mycluster" set.
[root@k8smaster ~]# kubectl config set-credentials default-ns-admin --token=$KUBE_TOKEN --kubeconfig=/tmp/default-ns-admin.config
User "default-ns-admin" set.
[root@k8smaster ~]# kubectl config set-context default-ns-admin@mycluster --cluster=mycluster --user=default-ns-admin --kubeconfig=/tmp/default-ns-admin.config
Context "default-ns-admin@mycluster" created.
[root@k8smaster ~]# kubectl config use-context default-ns-admin@mycluster --kubeconfig=/tmp/default-ns-admin.config
Switched to context "default-ns-admin@mycluster".
- 如何使用安装k8s中自动创建的kubeconfig文件,例如~/.kube/config
#1、创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
[root@k8smaster ~]# kubectl create sa default-ns-admin -n kube-system
serviceaccount/default-ns-admin created
[root@k8smaster ~]# kubectl describe sa default-ns-admin -n kube-system
Name: default-ns-admin
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-ns-admin-token-xmntl
Tokens: default-ns-admin-token-xmntl
Events: <none>
[root@k8smaster ~]# kubectl create rolebinding default-ns-admin --serviceaccount=kube-system:default-ns-admin --clusterrole=admin -n kube-system
rolebinding.rbac.authorization.k8s.io/default-ns-admin created
#2、获取在sa中的token值:
#注意:describe secrest得到的token是明文;get secret -o yaml得到的token是base64格式的
SERVCIEACCOUNT_SERRET_NAME=$(kubectl describe sa default-ns-admin -n kube-system |grep Tokens|awk '{print $2}')
KUBE_TOKEN=$(kubectl describe secret ${SERVCIEACCOUNT_SERRET_NAME} -n kube-system|grep ^token:|awk '{print $2}')
#3、修改kubeconfig文件:将token值写入到配置文件中
[root@physerver tmp]# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS...省略若干...
server: https://192.168.5.200:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDR...省略若干...
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJV...省略若干...
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.ey...省略若干... #添加此行,此处值为${KUBE_TOKEN}的值