部署kubernetes-dashboard并配置ServiceAccount和登录鉴权
"种草" kubernetes-dashboard
Kubernetes Dashboard 是通用的用于管理 Kubernetes 集群的 WebUI面板
kubernetes-dashboard 代码库 readme 中对自己的介绍:
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
通过这个面板, 可以让我们非常直观看到pod的状态, 创建时间, 标签, 运行在哪个结点等元数据
还能看到容器中定义的环境变量, 挂载的磁盘, liveness和readiness探针等信息
有了这个面板, 不光是pod, 可以对几乎 kubernetes 中的任何资源(前提是当前用户有足够的权限) 查看和管理
再介绍一个这个面板我自己最常用的功能: 重启pod
确实通过命令kubectl rollout restart -n prod deployment mysql-8-0可以实现同样的操作, 不过有了这个面板, 鼠标点点就能完成岂不美哉, 重启前还会弹出确认框提示你是不是确定要重启, 还贴心的把用于重启命令给我们展示出来了, awesome! 再也不怕忘记命令每次都要去google一下文档啦!
这个面板可以使用kubernetes的ServiceAccount来登录鉴权, 对权限控制的粒度可以做到非常细致, 别急, 往下看!
安装部署dashboard
这份文件中, 首先定义了个Namespace -> kubernetes-dashboard, 然后的所有资源都在这个Namespace下;
先看2个Deployment的定义, 分别是kubernetes-dashboard和dashboard-metrics-scraper
点击展开 -> Deployment: kubernetes-dashboard
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# 通过nginx-ingress暴露出去, 这里不需要ssl了, 没有这个标志位会导致无法正常登录
- --enable-insecure-login=true
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
点击展开 -> Deployment: dashboard-metrics-scraper
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
再看ServiceAccount: kubernetes-dashboard; 上面两个Deployment kubernetes-dashboard和dashboard-metrics-scraper 中的容器都绑定到了这个ServiceAccount
点击展开 ServiceAccount: kubernetes-dashboard
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
deployment.yaml中还定义了ClusterRole: kubernetes-dashboard和Role: kubernetes-dashboard, ClusterRole Role中定义了面板所需的权限
ClusterRole和Role的定义
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
ClusterRole, Role与 前面提到的 ServiceAccount:kubernetes-dashboard 通过 ClusterRoleBinding 和 RoleBinding 绑定到了一起, 就是给 ServiceAccount:kubernetes-dashboard 授权, 让它可以访问集群里的资源
ClusterRoleBinding, RoleBinding 绑定 ServiceAccount 与 ClusterRole, Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
最后就是 Service, ConfigMap, 和几个ssl相关的 Secret, 几个 Secret 的定义对我来说是不重要的, 因为上面Deployment容器的启动命令里, 我加上了 --enable-insecure-login=true, 我在外部通过nginx-ingress暴露服务, 配置好了ingress的部分配置ssl, 所里这里就无所谓了
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
配置Ingress, 向外暴露服务
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: kubernetes-dashboard
name: kubernetes-dashboard-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: http
spec:
ingressClassName:
tls:
- hosts:
- <这里填域名>
secretName: <这里填集群内配置好的Secret证书>
rules:
- host: <这里填域名>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 80
创建用于登录面板的ServiceAccount
新建account.yaml中定义ServiceAccount并绑定到内置的ClusterRole
定义两个 ServiceAccount 分别是 root 和 readonly
root绑定到内置的ClusterRolecluster-adminreadonly绑定到内置的ClusterRoleviewkubectl get clusterrole可以列表当前集群中已存在的角色
apiVersion: v1
kind: ServiceAccount
metadata:
name: root
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: readonly
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: readonly
namespace: kubernetes-dashboard
kubectl apply -f account.yaml 应用后, root 和 readonly 就创建好了, 然后我们去生成 Token 输入到面板的登录界面中就可以登录了
为 root 生成有效期30天 Token 的命令 kubectl create token --namespace kubernetes-dashboard --duration 2592000s root
用 Token 登录
权限控制
root 账户绑定的角色是内置的 cluster-admin, 可以对集群内的一切资源进行查看或修改, 删除等操作
readonly 账户绑定的角色是内置的 view, 拥有对集群内大部分资源的只读权限
也可以自己新建一个角色, 授予这个新角色某些指定权限, 例如下面的示例, 创建了一个名为 test 的 ClusterRole, 对pods有只读权限, 然后将这个角色与 ServiceAccount 绑定
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: root-to-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test
subjects:
- kind: ServiceAccount
name: root
namespace: kubernetes-dashboard
部署kubernetes-dashboard并配置ServiceAccount和登录鉴权的更多相关文章
- [原]部署kubernetes dashboard(二)
####################### 以下为声明 ##################### 此文档是之前做笔记在两台机上进行的实践,kubernetes处于不断开发阶段 不能保证每 ...
- 一步步教会你微信小程序的登录鉴权
前言 为了方便小程序应用使用微信登录态进行授权登录,微信小程序提供了登录授权的开放接口.乍一看文档,感觉文档上讲的非常有道理,但是实现起来又真的是摸不着头脑,不知道如何管理和维护登录态.本文就来手把手 ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(五):鉴权 gRPC-Interceptor 拦截器实战
拦截器(gRPC-Interceptor)类似于 Gin 中间件(Middleware),让你在真正调用 RPC 服务前,进行身份认证.参数校验.限流等通用操作. 系列 云原生 API 网关,gRPC ...
- SpringCloud之Zuul过滤器实现登录鉴权实战(十一)
自定义zuul过滤器实现登录鉴权实战 1.新建filter包 2.新建类继承ZuulFilter,重写方法 3.在类顶部加注解@Comment让spring扫描 /** * @author WGR * ...
- 使用网关zuul过滤器登录鉴权
使用网关zuul过滤器登录鉴权 1.新建一个filter包 filte有很多种 pre.post. 2.新建一个类LoginFilter,实现ZuulFilter,重写 ...
- vue项目中的登录鉴权
用vue做一个简单的登录鉴权功能. 项目目录结构如下: Login 组件 登录成功后做本地存储和store存储,并进行跳转. Login.vue关键代码: async handleLogin(e) { ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(四):客户端强类型约束,自动生成 API TS 类型定义
系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gateway(V2) 构建微服务实战系列,小程序登录鉴权服务:第一篇 Go + gRPC-Gateway(V2) ...
- Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(六):客户端基础库 TS 实战
小程序登录鉴权服务,客户端底层 SDK,登录鉴权.业务请求.鉴权重试模块 Typescript 实战. 系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gatew ...
- centos7下kubernetes(5。部署kubernetes dashboard)
基于WEB的dashboard,用户可以用kubernetes dashboard部署容器话的应用,监控应用的状态,执行故障排查任务以及管理kubernetes各种资源. 在kubernetes da ...
- [Kubernetes]集群配置免密登录Permission denied (publickey,password) 解决办法
在用ansible部署Kubernetes集群是需要配置免密登录,但是遇到Permission denied (publickey,password)的问题 首先推断可能是sshd_config的配置 ...
随机推荐
- Oracle游标或存储过程
/* 方式1:可执行选取代码块允许 */ declare cursor cur_tmp is ( select '' as tmp_status from dual ); begin for tmp_ ...
- Window10设置技巧
1.关闭应用程序上的最近打开文件,效果图 2.固定到"开始"屏幕,效果图 3.任务栏图标太大了
- 【jupyter notebook】配置基于ecs云平台的jupyter notebook远程使用
学校提供了ecs云服务器进行高性能运算 分配到了云主机后想在上面搭好jupyter notebook服务器方便远程使用,在此记录整个流程和遇到的问题 本文档适用于常规的jupyter notebook ...
- 打开配置windos 2016 防火墙 日志
1 点击"开始"或者win+R打开"运行"对话框 键入gpedit.msc
- ERR Client sent AUTH,but no password is set
问题产生原因: 就是Redis服务器没有设置密码,但客户端向其发送了AUTH(authentication,身份验证)请求携带着密码,导致报错. 既然是没有设置密码导致的报错,那我们就把Redis服务 ...
- 记安装MySQL数据库
记录一次自己动手安装MySQL数据库所踩的坑 MySQL安装包与操作系统匹配 安装包有amd和Intel,32位.64位多种组合需要确认仔细使用者操作系统和CPU型号 例如我使用的是CentOS ...
- 网络存储服务ip-san搭建
网络存储服务ip-san搭建 ip-san简称SAN(Storage Area Network),中文意思存储局域网络,ip- ...
- C/C++ 数据结构顺序栈的基本操作实现
#include <iostream> #include <Windows.h> using namespace std; #define MAXSIZE 6 //顺序栈的实现 ...
- Codeforces Round #808 (Div. 2)
Codeforces Round #808 (Div. 2) 传送门:https://codeforces.com/contest/1708 错过了,第二天vp的,只写出了AB就卡C了,竟然看不出是贪 ...
- ReentrantLock源码阅读
默认构造方法初始化同步器为非公平同步器 /** * Creates an instance of {@code ReentrantLock}. * This is equivalent to usin ...