部署kubernetes-dashboard并配置ServiceAccount和登录鉴权
"种草" kubernetes-dashboard
Kubernetes Dashboard 是通用的用于管理 Kubernetes 集群的 WebUI面板
kubernetes-dashboard 代码库 readme 中对自己的介绍:
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
通过这个面板, 可以让我们非常直观看到pod的状态, 创建时间, 标签, 运行在哪个结点等元数据
还能看到容器中定义的环境变量, 挂载的磁盘, liveness和readiness探针等信息
有了这个面板, 不光是pod, 可以对几乎 kubernetes 中的任何资源(前提是当前用户有足够的权限) 查看和管理
再介绍一个这个面板我自己最常用的功能: 重启pod
确实通过命令kubectl rollout restart -n prod deployment mysql-8-0可以实现同样的操作, 不过有了这个面板, 鼠标点点就能完成岂不美哉, 重启前还会弹出确认框提示你是不是确定要重启, 还贴心的把用于重启命令给我们展示出来了, awesome! 再也不怕忘记命令每次都要去google一下文档啦!
这个面板可以使用kubernetes的ServiceAccount来登录鉴权, 对权限控制的粒度可以做到非常细致, 别急, 往下看!
安装部署dashboard
这份文件中, 首先定义了个Namespace -> kubernetes-dashboard, 然后的所有资源都在这个Namespace下;
先看2个Deployment的定义, 分别是kubernetes-dashboard和dashboard-metrics-scraper
点击展开 -> Deployment: kubernetes-dashboard
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# 通过nginx-ingress暴露出去, 这里不需要ssl了, 没有这个标志位会导致无法正常登录
- --enable-insecure-login=true
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
点击展开 -> Deployment: dashboard-metrics-scraper
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
再看ServiceAccount: kubernetes-dashboard; 上面两个Deployment kubernetes-dashboard和dashboard-metrics-scraper 中的容器都绑定到了这个ServiceAccount
点击展开 ServiceAccount: kubernetes-dashboard
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
deployment.yaml中还定义了ClusterRole: kubernetes-dashboard和Role: kubernetes-dashboard, ClusterRole Role中定义了面板所需的权限
ClusterRole和Role的定义
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
ClusterRole, Role与 前面提到的 ServiceAccount:kubernetes-dashboard 通过 ClusterRoleBinding 和 RoleBinding 绑定到了一起, 就是给 ServiceAccount:kubernetes-dashboard 授权, 让它可以访问集群里的资源
ClusterRoleBinding, RoleBinding 绑定 ServiceAccount 与 ClusterRole, Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
最后就是 Service, ConfigMap, 和几个ssl相关的 Secret, 几个 Secret 的定义对我来说是不重要的, 因为上面Deployment容器的启动命令里, 我加上了 --enable-insecure-login=true, 我在外部通过nginx-ingress暴露服务, 配置好了ingress的部分配置ssl, 所里这里就无所谓了
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
配置Ingress, 向外暴露服务
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: kubernetes-dashboard
name: kubernetes-dashboard-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: http
spec:
ingressClassName:
tls:
- hosts:
- <这里填域名>
secretName: <这里填集群内配置好的Secret证书>
rules:
- host: <这里填域名>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 80
创建用于登录面板的ServiceAccount
新建account.yaml中定义ServiceAccount并绑定到内置的ClusterRole
定义两个 ServiceAccount 分别是 root 和 readonly
root绑定到内置的ClusterRolecluster-adminreadonly绑定到内置的ClusterRoleviewkubectl get clusterrole可以列表当前集群中已存在的角色
apiVersion: v1
kind: ServiceAccount
metadata:
name: root
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: readonly
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: readonly
namespace: kubernetes-dashboard
kubectl apply -f account.yaml 应用后, root 和 readonly 就创建好了, 然后我们去生成 Token 输入到面板的登录界面中就可以登录了
为 root 生成有效期30天 Token 的命令 kubectl create token --namespace kubernetes-dashboard --duration 2592000s root
用 Token 登录
权限控制
root 账户绑定的角色是内置的 cluster-admin, 可以对集群内的一切资源进行查看或修改, 删除等操作
readonly 账户绑定的角色是内置的 view, 拥有对集群内大部分资源的只读权限
也可以自己新建一个角色, 授予这个新角色某些指定权限, 例如下面的示例, 创建了一个名为 test 的 ClusterRole, 对pods有只读权限, 然后将这个角色与 ServiceAccount 绑定
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root-to-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
部署kubernetes-dashboard并配置ServiceAccount和登录鉴权的更多相关文章
- [原]部署kubernetes dashboard(二)
####################### 以下为声明 ##################### 此文档是之前做笔记在两台机上进行的实践,kubernetes处于不断开发阶段 不能保证每 ...
- 一步步教会你微信小程序的登录鉴权
前言 为了方便小程序应用使用微信登录态进行授权登录,微信小程序提供了登录授权的开放接口.乍一看文档,感觉文档上讲的非常有道理,但是实现起来又真的是摸不着头脑,不知道如何管理和维护登录态.本文就来手把手 ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(五):鉴权 gRPC-Interceptor 拦截器实战
拦截器(gRPC-Interceptor)类似于 Gin 中间件(Middleware),让你在真正调用 RPC 服务前,进行身份认证.参数校验.限流等通用操作. 系列 云原生 API 网关,gRPC ...
- SpringCloud之Zuul过滤器实现登录鉴权实战(十一)
自定义zuul过滤器实现登录鉴权实战 1.新建filter包 2.新建类继承ZuulFilter,重写方法 3.在类顶部加注解@Comment让spring扫描 /** * @author WGR * ...
- 使用网关zuul过滤器登录鉴权
使用网关zuul过滤器登录鉴权 1.新建一个filter包 filte有很多种 pre.post. 2.新建一个类LoginFilter,实现ZuulFilter,重写 ...
- vue项目中的登录鉴权
用vue做一个简单的登录鉴权功能. 项目目录结构如下: Login 组件 登录成功后做本地存储和store存储,并进行跳转. Login.vue关键代码: async handleLogin(e) { ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(四):客户端强类型约束,自动生成 API TS 类型定义
系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gateway(V2) 构建微服务实战系列,小程序登录鉴权服务:第一篇 Go + gRPC-Gateway(V2) ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(六):客户端基础库 TS 实战
小程序登录鉴权服务,客户端底层 SDK,登录鉴权.业务请求.鉴权重试模块 Typescript 实战. 系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gatew ...
- centos7下kubernetes(5。部署kubernetes dashboard)
基于WEB的dashboard,用户可以用kubernetes dashboard部署容器话的应用,监控应用的状态,执行故障排查任务以及管理kubernetes各种资源. 在kubernetes da ...
- [Kubernetes]集群配置免密登录Permission denied (publickey,password) 解决办法
在用ansible部署Kubernetes集群是需要配置免密登录,但是遇到Permission denied (publickey,password)的问题 首先推断可能是sshd_config的配置 ...
随机推荐
- Centos 8 部署harbor 访问502
部署过程不做多说, 部署完之后访问502, 以下可能只是一种情况, 有可能是其它情况导致的503 查看日志 core.log 提示访问数据库被拒绝 贴出解决方案:https://github.com/ ...
- dosbox debugger
通过中断看程序运行过程 最终目的是要找到数据保存位置,如何保存到文件的.
- Iview Table 图片、超链接
columns = [ { title: "照片", key: "attach_url", align:'center', width: 170, render ...
- redis基础-redis事务
学习总结 原文:https://juejin.im/post/5d29ac845188252cc75e2d5c redis事务: redis是否有事务? redis是有事务的.命令如下: Redis事 ...
- APP 监听手机键盘是否弹出
/** * 监听键盘是否弹出 * @param show * @param hide */ export const addEventKeyboardStatus = (show,hide)=> ...
- python的elasticsearch模块
参考 https://www.cnblogs.com/tianzhh/articles/13542239.html
- [picoCTF]Insp3ct0r write up
根据提示,需要检查浏览器上的Web代码(动手翻译一下啦) (漫不经心的瞅瞅页面,curl+UUUUUUU(一只U就行)一下下,微微瞄一瞄,where is flag? fn+f12(或其它)打开源代码 ...
- IntelliJ IDEA常用插件
Mybatis Log Plugin安装好插件后,在Tools工具栏中可以看到安装好的插件,点击即可打开相应窗口,在Debug时,相应的Sql语句即可输出到此窗口,方便查看.此插件相当好用,提升开发效 ...
- 图像主题颜色提取(Median cut)
前言 之前想对图片素材进行分类管理,除了打标签,还有一样是通过主题色进行分类.于是开始寻找能提取主主题色的工具,最后找到了大名鼎鼎的 Leptonica 库,其中就有中位切割算法的实现.下面附上中位切 ...
- 如何搭建属于自己的服务器(Linux7.6版)
从0搭建属于自己的服务器 最近小伙伴推荐的华为云活动,购买服务器相当的划算,本人也是耗费巨资购买了一台2核4G HECS云服务器. 话不多说,在这里给华为云打一个广子,活动力度还是很不错的. 活动详情 ...