如何为kubernetes桌面UI配置简单的登录/通过身份验证 [英] How to config simple login/pass authentication for kubernetes desktop UI
问题描述
我是kubernetes的新手,我只是通过kubeadm安装kubernetes并运行仪表板UI,但无法配置对其的访问.在文档之后,我将行--basic-auth-file=/etc/kubernetes/auth.csv添加到/etc/kubernetes/manifests/kube-apiserver.yaml,创建文件并放入一个像pass,admin,admin这样的字符串.但是在该api服务器崩溃后,删除此字符串并重新启动服务器后恢复正常.如何在不使api服务器崩溃的情况下将此参数传递给api服务器,也许还有其他需要从该文件中添加或删除?这是我的
I'm pretty new in kubernetes, I just install kubernetes via kubeadm and run dashboard UI but can't config access to it. Following docs I add line --basic-auth-file=/etc/kubernetes/auth.csv to /etc/kubernetes/manifests/kube-apiserver.yaml, create file and put in one string like pass,admin,admin. But after that api server crashed and back to normal after deleting this string and reboot the server. How I can pass this parametr to api server without api server crashing, and maybe something else need add or remove from this file? Here is my
kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --secure-port=6443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --requestheader-allowed-names=front-proxy-client
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-bootstrap-token-auth=true
- --allow-privileged=true
- --requestheader-username-headers=X-Remote-User
- --advertise-address=236.273.51.124
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --insecure-port=0
- --requestheader-group-headers=X-Remote-Group
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --service-cluster-ip-range=10.96.0.0/12
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --authorization-mode=Node,RBAC
- --etcd-servers=http://127.0.0.1:2379
image: gcr.io/google_containers/kube-apiserver-amd64:v1.8.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: ca-certs-etc-pki
推荐答案
您的用于基本身份验证的文件/etc/kubernetes/auth.csv在kube-apiserver pod容器内不可用.应该将其安装到Pod的容器以及证书文件夹中.只需将其添加到volume和volumeMounts部分:
Your file for basic authentication /etc/kubernetes/auth.csv is not available inside kube-apiserver pod's container. It should be mounted to pod's container as well as certificate folders. Just add it to volumes and volumeMounts sections:
volumeMounts:
- mountPath: /etc/kubernetes/auth.csv
name: kubernetes-dashboard
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/auth.csv
name: kubernetes-dashboard
这篇关于如何为kubernetes桌面UI配置简单的登录/通过身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
