kubernetes dashboard 使用令牌登录

install kubernetes dashboard

因为使用helm安装dashboard,默认的是使用google的官方源.但是都知道的肯定被墙啊。所以需要先把dashboard的仓库下载下到本地再使用helm安装.

git clone https://github.com/helm/charts](https://github.com/helm/charts
cd stable
helm install ./kubernetes-dashboard 

如果拉不到官方的 gcr.io/kubernetes-helm/tiller:v2.12.1 镜像可以使用myonlyzzy/tiller:v2.12.1.

登录 kubernetes dashboard

kubernetes dashboard 登录提供2种登录验证方式,kubeconfig 文件和令牌验证.

屏幕快照 2019-05-18 上午11.57.28.png

kubeconfig 文件

kubeconfig 文件就是kubectl 登录使用的验证文件.一般位于~/.kube/config .

令牌登录

令牌就是token值.在k8s种每个sa(serviceAccount)账户都对应一个secret. 每个secret都关联一个用base64编码的token值.下面我们通过创建一个自定义sa账户来说明一下这个问题.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: jianshu
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: jianshu
  namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jianshu
  namespace: default

我们建立了2个k8s资源,一个集群用户绑定 jianshu 绑定到了集群角色 view,然后关联到了sa jianshu。也就是说jianshu有了view角色的权限. view是系统内置的一个角色有集群资源的list get watch权限.

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-05-18T04:08:55Z"
  name: jianshu
  namespace: default
  resourceVersion: "30667"
  selfLink: /api/v1/namespaces/default/serviceaccounts/jianshu
  uid: a793b401-7922-11e9-a99f-867b0fa2fa27
secrets:
- name: jianshu-token-ncs9d

我们看到jianshu关联了一个secrets jianshu-token-ncs9d.

kubectl get secrets jianshu-token-ncs9d -o jsonpath={.data.token}|base64 -D
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImppYW5zaHUtdG9rZW4tbmNzOWQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiamlhbnNodSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImE3OTNiNDAxLTc5MjItMTFlOS1hOTlmLTg2N2IwZmEyZmEyNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmppYW5zaHUifQ.TN4CietCFmYy67bv-sutskk5sQKFmFNJ_Ofg4zLF8yTBUqU76K03KMBy6WxJa8w-YCBKM4Sly1PZ6sgBYas_70LoI-HA1prxfUKK2p3PzBL4EybNU7tENsDbjypTgILyMXyV3tgsUXHJFOkuVuPo8o1pLwQN3Qllsj_164WiNZabYc24ZkLn7cmS2nVfHDppnuU0n3D4FcKkyW7WqS05iEr2_KAScM2krwEaS6Tnhvn-XDnih16TTQgzeMry9hCrUS3MBE0Qdo7aV3SDPyMXJJumA7U_V-UB_hS2B4TcIeRfXXR4xAyFnTGcyRli1EhKnEQntMQ-U8unkjvVkhfyhg

使用token登录kubernetes dashboard ,只有view权限。如果我们尝试删除一个资源,没有权限.

屏幕快照 2019-05-18 下午12.22.22.png