2020-09-22 kubernetes dashboard 的登录

登录kubernetes dashboard

如图1-1所示，kubernetes dashboard提供了两种登录方式：

• kubeconfig
• 令牌

下面将对这两种登录方式进行介绍。

令牌登录

令牌登录就是使用serviceAccount账户的token值登录，在kubernetes中，每个serviceAccount(简称sa)账户都对应一个token值，我们就可以使用该值进行登录。需要注意的是，使用token登录只具有view权限，不能在dashboard中删除或创建pod。

###############################################
# 查看sa账户
###############################################
$ kubectl get sa
NAME      SECRETS   AGE
default   1         38d

###############################################
# 获取详细的sa账户信息
###############################################
$ kubectl describe sa default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-j27f2
Tokens:              default-token-j27f2
Events:              <none>

###############################################
# 获取sa账户的token
###############################################
$ kubectl describe secret default-token-j27f2 | awk '$1=="token:"{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tajI3ZjIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFjOWE3NjY1LTk3ZmEtNDk1MC05NjBlLTIxNThkNWFiOWMwYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.IJYDGgXRrH--GRiiz2P18RyozsjvIsLIwxVO7azfCUPkjeyjSIwbUrlH75Uxo3LXrQvvSKMKnJOyPovQ7K_zV3Ot0ufjjsoM3IZe3LZllr09JR70AvJkdckXjRnK7QeKoZRJNVKQt45emRCd9PKCbc8m8u3pianRwJWlPBXCTa-uyxWbsgoKXJXBD2HvgkphPDTLKjYQKPvvh6nSs2vfvX2MPaG98njY6F27W-1YFchgo_df3rFS-SoMlXVlizJsjOV-vr1Kye6EFGBI33fHXFCkCxaHE2cpmFtD_bbHZEHK8BdPXT5a5ER19ODlbtPZ8r3ngk8eWqpaSebHv2wWIg

kubeconfig登录

kubeconfig文件就是kubect登录使用的验证文件， 一般位于~/.kube/config。如果没有的话需要使用kubectl config命令生成，这里不再详细介绍。

• 获取kubeconfig文件内容

  $ kubectl config view
  apiVersion: v1
  clusters:
  - cluster:
      certificate-authority-data: DATA+OMITTED
      server: https://192.168.0.3:6443
    name: cluster.local
  contexts:
  - context:
      cluster: cluster.local
      user: kubernetes-admin
    name: kubernetes-[email protected]
  current-context: kubernetes-[email protected]
  kind: Config
  preferences: {}
  users:
  - name: kubernetes-admin
    user:
      client-certificate-data: REDACTED
      client-key-data: REDACTED
  

• 获取sa账户token

  ###############################################
  # 查看sa账户
  ###############################################
  $ kubectl get sa
  NAME      SECRETS   AGE
  default   1         38d
  
  ###############################################
  # 查看default账户的secret
  ###############################################
  $ kubectl describe secret default | awk '$1=="token:"{print $2}'
  eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tajI3ZjIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFjOWE3NjY1LTk3ZmEtNDk1MC05NjBlLTIxNThkNWFiOWMwYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.IJYDGgXRrH--GRiiz2P18RyozsjvIsLIwxVO7azfCUPkjeyjSIwbUrlH75Uxo3LXrQvvSKMKnJOyPovQ7K_zV3Ot0ufjjsoM3IZe3LZllr09JR70AvJkdckXjRnK7QeKoZRJNVKQt45emRCd9PKCbc8m8u3pianRwJWlPBXCTa-uyxWbsgoKXJXBD2HvgkphPDTLKjYQKPvvh6nSs2vfvX2MPaG98njY6F27W-1YFchgo_df3rFS-SoMlXVlizJsjOV-vr1Kye6EFGBI33fHXFCkCxaHE2cpmFtD_bbHZEHK8BdPXT5a5ER19ODlbtPZ8r3ngk8eWqpaSebHv2wWIg
  

• 向kubeconfig文件中添加token

  apiVersion: v1
  clusters:
  - cluster:
      certificate-authority-data: DATA+OMITTED
      server: https://192.168.0.3:6443
    name: cluster.local
  contexts:
  - context:
      cluster: cluster.local
      user: kubernetes-admin
    name: kubernetes-[email protected]
  current-context: kubernetes-[email protected]
  kind: Config
  preferences: {}
  users:
  - name: kubernetes-admin
    user:
      client-certificate-data: REDACTED
      client-key-data: REDACTED
      token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImVUYzFjVUhDeUJqeXNzcnpJUEpfaGpWVnhyOS1TVXV2REZEYjBTazA3NzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTJnNTZ6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3M2M1NjI1Yi1mYWJkLTQzZTUtYjY5Ny0yMWY4MDQ2MDg2YTUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.Oh9HH5n2QswxakCiBalXyg71P2VMv_CG5NMjmFyK6Fj_gVnUxsIRGNV3z08QMMVE-d3ZyWP-N8xL-MX2aFyoxV4XwjcJh0c8WYMdVdTQzDBJoAf7x9xbI2faduMIrb1c2WgbF74PMRS8yufR3WlSERySDgWWJnhyLvdiNN0HNoS2J2o72AounyXOD5O0GLiKSZujAUV7HH_6pLZ_W6bGlJjMzma68OLlN5sWoikAhHP1MdbwBVpPbMhnl5cbP4rg5Hs_cMr6Wlhw9j2Mi7CGnYI3JVop23ESwoAJmqNX-5ANQ6015KVBmP7_l9_qIikVSCtP9cTErK9gqXQD90YQ3g
  

• 角色绑定（如果不执行登录后会提示权限不足），即将sa和role进行绑定

$ kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=default:default

• 使用kubeconfig文件进行登录

附录

最后贴一下kubernetes dashboard的部署文件（基于kubernetesui/dashboard:v2.0.0-beta8）。

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f 

---
# ------------------- Dashboard Secrets ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kube-system
type: Opaque
data:
  csrf: ""

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard ConfigMap ------------------- #
kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kube-system

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
# Allows users to reach login page and other proxied dashboard URLs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      priorityClassName: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: kubernetesui/dashboard:v2.0.0-beta8
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 100m
            memory: 256M
          requests:
            cpu: 50m
            memory: 64M
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          - --authentication-mode=token          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
          - --token-ttl=900
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30012      # 节点的端口
  selector:
    k8s-app: kubernetes-dashboard