安裝Dashboard插件

建議在部署master時一起把kubernetes-dashboard一起部署了,不然在node節點加入集群后，kubernetes-dashboard會被kube-scheduler調度node節點上，這樣跟kube-apiserver通信需要額外配置。

wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

kubectl create -f kubernetes-dashboard.yaml

修改kubernetes-dashboard.yaml

如果需要讓外面訪問需要修改這個yaml文件端口類型為NodePort默認為clusterport外部訪問不了

重新套用設定

kubectl apply-f kubernetes-dashboard.yaml

查看pods狀態

kubectl get pods --namespace kube-system

查看service狀態

kubectl get svc --namespace kube-system

查看當前dashboard映射端口

[root@node1 /data/soft/k8s_1.9.0_images]# kubectl -n kube-system get svc kubernetes-dashboard
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
kubernetes-dashboard   ClusterIP   10.107.246.177   <none>        443:32666/TCP   36m

也可以直接修改service設定

kubectl -n kube-system edit service kubernetes-dashboardd

把type:ClusterIP 改為type:NodePort後保存退出
apiVersion: v1
kind: Service
metadata:
creationTimestamp: 2017-12-27T09:07:18Z
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
resourceVersion: "5919"
selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
uid: 57004c00-eae5-11e7-8c16-005056975b01
spec:
clusterIP: 10.107.246.177
ports:
– port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
# type: ClusterIP
type: NodePort
status:
loadBalancer: {}

這次再次查看對外映射端口為32191

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
[root@node1 /data/soft/k8s_1.9.0_images]# kubectl -n kube-system get service kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.107.246.177   <none>        443:32191/TCP   47m

若要移除

kubectl delete-f kubernetes-dashboard.yaml

在 1.7 版本以後的 Dashboard 將不再提供所有權限，因此需要建立一個 service account 來綁定 cluster-admin role：

如果略過登入，預設的service account是kubernetes-dashboard，基本上什麼訊息也看不到

# kubernetes-dashboard.yaml文件中的ServiceAccount kubernetes-dashboard只有相對較小的權限，因此 
# 創建一个kubernetes-dashboard-admin的ServiceAccount並授予集群admin的權限

$ cat kubernetes-dashboard-admin.rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-admin
  namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-admin
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard-admin
  namespace: kube-system

$ kubectl create -f kubernetes-dashboard-admin.rbac.yaml
serviceaccount "kubernetes-dashboard-admin" created
clusterrolebinding "kubernetes-dashboard-admin" created

或者是直接授予service account : kubernetes-dashboard cluster-admin 的 role

$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
EOF

開啟proxy

$ kubectl proxy --address="192.168.43.15" -p 8001 --accept-hosts='^*$'

拜訪網站Kubernetes安裝 Kubernetes安裝 Kubernetes安裝

http://192.168.43.15:8001/ui ##會導到下面網址

http://192.168.43.15:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

默認驗証方式有kubeconfig和token

token

這裡的token可以是Static Token 、 Service Account Token 、 OpenID Connect Token

我們就查出上述建立的kubernetes-dashboard-admin的token來登入

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       
<
none
>

Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdW

basic

另一個方式是使用basicauth的方式進行apiserver的驗証
創建/etc/kubernetes/manifests/pki/basic_auth_file 用於存放用戶名和密碼

#user,password,userid
admin,admin,2

給kube-apiserver添加basic_auth驗証
vi /etc/kubernetes/manifests/kube-apiserver.yaml

加上這行

更新kube-apiserver容器
kubectl apply -f kube-apiserver.yaml

不知道是不是1.9.3的bug

更改過kube-apiserver.yaml檔案後全部的服務都會啟不來

看來只能從kubeadm init時就將這些參數傳進api server

授權
k8s1.6後版本都採用RBAC授權模型
给admin授權
默認cluster-admin是擁有全部權限的，將admin和cluster-admin bind这样admin就有cluster-admin的權限。

那我們將admin和cluster-admin bind在一起這樣admin也有cluster-admin的權限了
kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin

查看

kubectl get clusterrolebinding/login-on-dashboard-with-cluster-admin -o yaml

Dashboard

安裝Dashboard插件

results matching ""

No results matching ""