如何登录 kubernetes 仪表板? [英] How to sign in kubernetes dashboard?

查看:25
本文介绍了如何登录 kubernetes 仪表板?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我刚刚将 kubeadm 和 kubelet 升级到 v1.8.0.并按照官方 看起来有两种身份验证方式.

我尝试上传 /etc/kubernetes/admin.conf 作为 kubeconfig 但失败了.然后我尝试使用从 kubeadm token list 获得的令牌登录但再次失败.

问题是我如何登录仪表板.看起来他们比以前增加了很多安全机制.谢谢.

解决方案

从 1.7 版开始,仪表板支持基于以下内容的用户身份验证:

Github 上的仪表板

代币

这里的Token可以是Static TokenService Account TokenOpenID Connect Token来自Kubernetes 身份验证,但不是 kubeadm Bootstrap Token.

使用 kubectl,我们可以获得默认在 kubernetes 中创建的服务帐户(例如部署控制器).

$ kubectl -n kube-system 获取机密# 'kubernetes.io/service-account-token' 类型的所有机密都将允许登录.# 注意他们有不同的权限.名称 类型 数据 年龄部署-控制器-令牌-frsqj kubernetes.io/service-account-token 3 22 小时$ kubectl -n kube-system 描述秘密部署-控制器-令牌-frsqj名称:部署-控制器-令牌-frsqj命名空间:kube-system标签:<无>注解:kubernetes.io/service-account.name=deployment-controllerkubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002类型:kubernetes.io/service-account-token数据====ca.crt:1025 字节命名空间:11 个字节令牌:eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-SW-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g

Kubeconfig

仪表板需要 kubeconfig 文件中的用户具有 username &密码token,但admin.conf只有client-certificate.您可以编辑配置文件以添加使用上述方法提取的令牌.

<前>$ kubectl config set-credentials cluster-admin --token=bearer_token

替代方案(不推荐用于生产)

这里有两种绕过身份验证的方法,但请谨慎使用.

使用 HTTP 部署仪表板

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml

可以使用 kubectl proxy 在 http://localhost:8001/ui 加载仪表板代码>.

向仪表板的服务帐户授予管理员权限

$ cat <<EOF |kubectl 创建 -f -api版本:rbac.authorization.k8s.io/v1beta1种类:ClusterRoleBinding元数据:名称:kubernetes-dashboard标签:k8s-app:kubernetes-dashboard角色参考:apiGroup: rbac.authorization.k8s.io种类:集群角色名称:集群管理员科目:- 种类:ServiceAccount名称:kubernetes-dashboard命名空间:kube-systemEOF

之后您可以使用登录页面上的跳过选项来访问仪表板.

如果您使用的是仪表板版本 v1.10.1 或更高版本,您还必须将 --enable-skip-login 添加到部署的命令行参数.您可以通过将其添加到 kubectl edit deployment/kubernetes-dashboard --namespace=kube-system 中的 args 来实现.

示例:

 容器:- 参数:- --auto-generate-certificates- --enable-skip-login # <-- 添加这一行图片:k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

I just upgraded kubeadm and kubelet to v1.8.0. And install the dashboard following the official document.

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

After that, I started the dashboard by running

$ kubectl proxy --address="192.168.0.101" -p 8001 --accept-hosts='^*$'

Then fortunately, I was able to access the dashboard thru http://192.168.0.101:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

I was redirected to a login page like this which I had never met before. It looks like that there are two ways of authentication.

I tried to upload the /etc/kubernetes/admin.conf as the kubeconfig but got failed. Then I tried to use the token I got from kubeadm token list to sign in but failed again.

The question is how I can sign in the dashboard. It looks like they added a lot of security mechanism than before. Thanks.

解决方案

As of release 1.7 Dashboard supports user authentication based on:

Dashboard on Github

Token

Here Token can be Static Token, Service Account Token, OpenID Connect Token from Kubernetes Authenticating, but not the kubeadm Bootstrap Token.

With kubectl, we can get an service account (eg. deployment controller) created in kubernetes by default.

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-sw-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g

Kubeconfig

The dashboard needs the user in the kubeconfig file to have either username & password or token, but admin.conf only has client-certificate. You can edit the config file to add the token that was extracted using the method above.

$ kubectl config set-credentials cluster-admin --token=bearer_token

Alternative (Not recommended for Production)

Here are two ways to bypass the authentication, but use for caution.

Deploy dashboard with HTTP

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml

Dashboard can be loaded at http://localhost:8001/ui with kubectl proxy.

Granting admin privileges to Dashboard's Service Account

$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
EOF

Afterwards you can use Skip option on login page to access Dashboard.

If you are using dashboard version v1.10.1 or later, you must also add --enable-skip-login to the deployment's command line arguments. You can do so by adding it to the args in kubectl edit deployment/kubernetes-dashboard --namespace=kube-system.

Example:

      containers:
      - args:
        - --auto-generate-certificates
        - --enable-skip-login            # <-- add this line
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

这篇关于如何登录 kubernetes 仪表板?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆