如何登录 kubernetes 仪表板? [英] How to sign in kubernetes dashboard?
问题描述
我刚刚将 kubeadm 和 kubelet 升级到 v1.8.0.并按照官方 看起来有两种身份验证方式.
我尝试上传 /etc/kubernetes/admin.conf
作为 kubeconfig 但失败了.然后我尝试使用从 kubeadm token list
获得的令牌登录但再次失败.
问题是我如何登录仪表板.看起来他们比以前增加了很多安全机制.谢谢.
从 1.7 版开始,仪表板支持基于以下内容的用户身份验证:
代币
这里的Token
可以是Static Token
、Service Account Token
、OpenID Connect Token
来自Kubernetes 身份验证,但不是 kubeadm Bootstrap Token
.
使用 kubectl,我们可以获得默认在 kubernetes 中创建的服务帐户(例如部署控制器).
$ kubectl -n kube-system 获取机密# 'kubernetes.io/service-account-token' 类型的所有机密都将允许登录.# 注意他们有不同的权限.名称 类型 数据 年龄部署-控制器-令牌-frsqj kubernetes.io/service-account-token 3 22 小时$ kubectl -n kube-system 描述秘密部署-控制器-令牌-frsqj名称:部署-控制器-令牌-frsqj命名空间:kube-system标签:<无>注解:kubernetes.io/service-account.name=deployment-controllerkubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002类型:kubernetes.io/service-account-token数据====ca.crt:1025 字节命名空间:11 个字节令牌:eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-SW-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g
Kubeconfig
仪表板需要 kubeconfig 文件中的用户具有 username &密码
或token
,但admin.conf
只有client-certificate
.您可以编辑配置文件以添加使用上述方法提取的令牌.
替代方案(不推荐用于生产)
这里有两种绕过身份验证的方法,但请谨慎使用.
使用 HTTP 部署仪表板
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml
可以使用 kubectl proxy 在 http://localhost:8001/ui 加载仪表板代码>.
向仪表板的服务帐户授予管理员权限
$ cat <<EOF |kubectl 创建 -f -api版本:rbac.authorization.k8s.io/v1beta1种类:ClusterRoleBinding元数据:名称:kubernetes-dashboard标签:k8s-app:kubernetes-dashboard角色参考:apiGroup: rbac.authorization.k8s.io种类:集群角色名称:集群管理员科目:- 种类:ServiceAccount名称:kubernetes-dashboard命名空间:kube-systemEOF
之后您可以使用登录页面上的跳过选项来访问仪表板.
如果您使用的是仪表板版本 v1.10.1 或更高版本,您还必须将 --enable-skip-login
添加到部署的命令行参数.您可以通过将其添加到 kubectl edit deployment/kubernetes-dashboard --namespace=kube-system
中的 args
来实现.
示例:
容器:- 参数:- --auto-generate-certificates- --enable-skip-login # <-- 添加这一行图片:k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
I just upgraded kubeadm and kubelet to v1.8.0. And install the dashboard following the official document.
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
After that, I started the dashboard by running
$ kubectl proxy --address="192.168.0.101" -p 8001 --accept-hosts='^*$'
Then fortunately, I was able to access the dashboard thru http://192.168.0.101:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
I was redirected to a login page like this which I had never met before. It looks like that there are two ways of authentication.
I tried to upload the /etc/kubernetes/admin.conf
as the kubeconfig but got failed. Then I tried to use the token I got from kubeadm token list
to sign in but failed again.
The question is how I can sign in the dashboard. It looks like they added a lot of security mechanism than before. Thanks.
As of release 1.7 Dashboard supports user authentication based on:
Authorization: Bearer <token>
header passed in every request to Dashboard. Supported from release 1.6. Has the highest priority. If present, login view will not be shown.- Bearer Token that can be used on Dashboard login view.
- Username/password that can be used on Dashboard login view.
- Kubeconfig file that can be used on Dashboard login view.
Token
Here Token
can be Static Token
, Service Account Token
, OpenID Connect Token
from Kubernetes Authenticating, but not the kubeadm Bootstrap Token
.
With kubectl, we can get an service account (eg. deployment controller) created in kubernetes by default.
$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME TYPE DATA AGE
deployment-controller-token-frsqj kubernetes.io/service-account-token 3 22h
$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name: deployment-controller-token-frsqj
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=deployment-controller
kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-sw-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g
Kubeconfig
The dashboard needs the user in the kubeconfig file to have either username & password
or token
, but admin.conf
only has client-certificate
. You can edit the config file to add the token that was extracted using the method above.
$ kubectl config set-credentials cluster-admin --token=bearer_token
Alternative (Not recommended for Production)
Here are two ways to bypass the authentication, but use for caution.
Deploy dashboard with HTTP
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml
Dashboard can be loaded at http://localhost:8001/ui with kubectl proxy
.
Granting admin privileges to Dashboard's Service Account
$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
Afterwards you can use Skip option on login page to access Dashboard.
If you are using dashboard version v1.10.1 or later, you must also add --enable-skip-login
to the deployment's command line arguments. You can do so by adding it to the args
in kubectl edit deployment/kubernetes-dashboard --namespace=kube-system
.
Example:
containers:
- args:
- --auto-generate-certificates
- --enable-skip-login # <-- add this line
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
这篇关于如何登录 kubernetes 仪表板?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!