部署kubernetes-dashboard并配置ServiceAccount和登录鉴权
"种草" kubernetes-dashboard
Kubernetes Dashboard 是通用的用于管理 Kubernetes 集群的 WebUI面板
kubernetes-dashboard 代码库 readme 中对自己的介绍:
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
通过这个面板, 可以让我们非常直观看到pod的状态, 创建时间, 标签, 运行在哪个结点等元数据
还能看到容器中定义的环境变量, 挂载的磁盘, liveness和readiness探针等信息
有了这个面板, 不光是pod, 可以对几乎 kubernetes 中的任何资源(前提是当前用户有足够的权限) 查看和管理
再介绍一个这个面板我自己最常用的功能: 重启pod
确实通过命令kubectl rollout restart -n prod deployment mysql-8-0可以实现同样的操作, 不过有了这个面板, 鼠标点点就能完成岂不美哉, 重启前还会弹出确认框提示你是不是确定要重启, 还贴心的把用于重启命令给我们展示出来了, awesome! 再也不怕忘记命令每次都要去google一下文档啦!
这个面板可以使用kubernetes的ServiceAccount来登录鉴权, 对权限控制的粒度可以做到非常细致, 别急, 往下看!
安装部署dashboard
这份文件中, 首先定义了个Namespace -> kubernetes-dashboard, 然后的所有资源都在这个Namespace下;
先看2个Deployment的定义, 分别是kubernetes-dashboard和dashboard-metrics-scraper
点击展开 -> Deployment: kubernetes-dashboard
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# 通过nginx-ingress暴露出去, 这里不需要ssl了, 没有这个标志位会导致无法正常登录
- --enable-insecure-login=true
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
点击展开 -> Deployment: dashboard-metrics-scraper
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
再看ServiceAccount: kubernetes-dashboard; 上面两个Deployment kubernetes-dashboard和dashboard-metrics-scraper 中的容器都绑定到了这个ServiceAccount
点击展开 ServiceAccount: kubernetes-dashboard
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
deployment.yaml中还定义了ClusterRole: kubernetes-dashboard和Role: kubernetes-dashboard, ClusterRole Role中定义了面板所需的权限
ClusterRole和Role的定义
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
ClusterRole, Role与 前面提到的 ServiceAccount:kubernetes-dashboard 通过 ClusterRoleBinding 和 RoleBinding 绑定到了一起, 就是给 ServiceAccount:kubernetes-dashboard 授权, 让它可以访问集群里的资源
ClusterRoleBinding, RoleBinding 绑定 ServiceAccount 与 ClusterRole, Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
最后就是 Service, ConfigMap, 和几个ssl相关的 Secret, 几个 Secret 的定义对我来说是不重要的, 因为上面Deployment容器的启动命令里, 我加上了 --enable-insecure-login=true, 我在外部通过nginx-ingress暴露服务, 配置好了ingress的部分配置ssl, 所里这里就无所谓了
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
配置Ingress, 向外暴露服务
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: kubernetes-dashboard
name: kubernetes-dashboard-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: http
spec:
ingressClassName:
tls:
- hosts:
- <这里填域名>
secretName: <这里填集群内配置好的Secret证书>
rules:
- host: <这里填域名>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 80
创建用于登录面板的ServiceAccount
新建account.yaml中定义ServiceAccount并绑定到内置的ClusterRole
定义两个 ServiceAccount 分别是 root 和 readonly
root绑定到内置的ClusterRolecluster-adminreadonly绑定到内置的ClusterRoleviewkubectl get clusterrole可以列表当前集群中已存在的角色
apiVersion: v1
kind: ServiceAccount
metadata:
name: root
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: readonly
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: readonly
namespace: kubernetes-dashboard
kubectl apply -f account.yaml 应用后, root 和 readonly 就创建好了, 然后我们去生成 Token 输入到面板的登录界面中就可以登录了
为 root 生成有效期30天 Token 的命令 kubectl create token --namespace kubernetes-dashboard --duration 2592000s root
用 Token 登录
权限控制
root 账户绑定的角色是内置的 cluster-admin, 可以对集群内的一切资源进行查看或修改, 删除等操作
readonly 账户绑定的角色是内置的 view, 拥有对集群内大部分资源的只读权限
也可以自己新建一个角色, 授予这个新角色某些指定权限, 例如下面的示例, 创建了一个名为 test 的 ClusterRole, 对pods有只读权限, 然后将这个角色与 ServiceAccount 绑定
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root-to-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
部署kubernetes-dashboard并配置ServiceAccount和登录鉴权的更多相关文章
- [原]部署kubernetes dashboard(二)
####################### 以下为声明 ##################### 此文档是之前做笔记在两台机上进行的实践,kubernetes处于不断开发阶段 不能保证每 ...
- 一步步教会你微信小程序的登录鉴权
前言 为了方便小程序应用使用微信登录态进行授权登录,微信小程序提供了登录授权的开放接口.乍一看文档,感觉文档上讲的非常有道理,但是实现起来又真的是摸不着头脑,不知道如何管理和维护登录态.本文就来手把手 ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(五):鉴权 gRPC-Interceptor 拦截器实战
拦截器(gRPC-Interceptor)类似于 Gin 中间件(Middleware),让你在真正调用 RPC 服务前,进行身份认证.参数校验.限流等通用操作. 系列 云原生 API 网关,gRPC ...
- SpringCloud之Zuul过滤器实现登录鉴权实战(十一)
自定义zuul过滤器实现登录鉴权实战 1.新建filter包 2.新建类继承ZuulFilter,重写方法 3.在类顶部加注解@Comment让spring扫描 /** * @author WGR * ...
- 使用网关zuul过滤器登录鉴权
使用网关zuul过滤器登录鉴权 1.新建一个filter包 filte有很多种 pre.post. 2.新建一个类LoginFilter,实现ZuulFilter,重写 ...
- vue项目中的登录鉴权
用vue做一个简单的登录鉴权功能. 项目目录结构如下: Login 组件 登录成功后做本地存储和store存储,并进行跳转. Login.vue关键代码: async handleLogin(e) { ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(四):客户端强类型约束,自动生成 API TS 类型定义
系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gateway(V2) 构建微服务实战系列,小程序登录鉴权服务:第一篇 Go + gRPC-Gateway(V2) ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(六):客户端基础库 TS 实战
小程序登录鉴权服务,客户端底层 SDK,登录鉴权.业务请求.鉴权重试模块 Typescript 实战. 系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gatew ...
- centos7下kubernetes(5。部署kubernetes dashboard)
基于WEB的dashboard,用户可以用kubernetes dashboard部署容器话的应用,监控应用的状态,执行故障排查任务以及管理kubernetes各种资源. 在kubernetes da ...
- [Kubernetes]集群配置免密登录Permission denied (publickey,password) 解决办法
在用ansible部署Kubernetes集群是需要配置免密登录,但是遇到Permission denied (publickey,password)的问题 首先推断可能是sshd_config的配置 ...
随机推荐
- sqlite bundle 的含义,和 sqlite.dll, SQLite.Interop.dll, System.Data.SQLite.dll 三者之间的关系
sqlite bundle 的含义,和 sqlite.dll, SQLite.Interop.dll, System.Data.SQLite.dll 三者之间的关系. bundle 表示不需要配合 S ...
- manjaro挂载NTFS系统的方法
本文部分引自https://blog.csdn.net/baimaozi/article/details/3134267?utm_medium=distribute.pc_relevant.none- ...
- vim的visual模式和列编辑
有三种方式进入visual模式: 1> 在普通模式下输入v(小写),底部提示信息为VISUAL,编辑粒度为字符 通过方向键或者HJKL调整选择的字符范围. 输入d,删除选中字符: 输入y,复制当 ...
- el-scrollbar element-ui的滚动条组件(官方文档没有写出来)
<el-scrollbar></el-scrollbar> //去掉横向滚动条 /deep/.el-scrollbar__wrap { overflow-x: hidden; ...
- 在POD的ENV中添加POD的信息
主要用到的参数: - name POD_NAME volumeFrom: fieldRef: fieldPath: metadata.name - name: POD_IP volumeFrom: ...
- finereport连接mysql8.0
1.java包更新 2.下载地址:https://dev.mysql.com/downloads/connector/j/ 3.替换文件为8.0删除5.1版本 4.驱动器手动输入com.mysql.c ...
- springboot-项目获取resources下文件
背景: 项目的resources 目录下放置了一份txt文件,需求是想获取到这份文件转成File对象,调用文件上传的接口进行文件上传操作. 实现: 1.使用 ResourceUtils:本地ok,测试 ...
- Vue插件开发,全局插件和按需加入插件
年前手下事情少,找了一个下午研究了一下Vue插件开发,首先要感谢B站的前端小野森森-2,借鉴了他的视频,自己也写了一下.把过程记录下来. 首先用vite建一个空项目. 然后新建modules文件夹,和 ...
- 文件上传 upload-labs Pass-18 条件竞争
Pass-18 条件竞争 审计源码 $is_upload = false; $msg = null; if(isset($_POST['submit'])){ $ext_arr = array('jp ...
- java生态下的后端开发都有哪些技术栈?
前言 我08年毕业,那时(2003-2010)C#还比较时髦的,大学跟着老师进修的,毕业后就从事winform窗体应用程序开发.慢慢的web网站兴起,就转到aps.net开发,再到后来就上了另一艘船( ...