Dashboard概述

Github地址

Dashboard是Kubernetes的Web GUI，可用于在Kubernetes集群上部署容器化應用、應用排障、管理集群本身及附加的資源等，常用于集群及應用速覽、創建或修改單個資源（如Deployment、Jobs和DaemonSet等），以及擴展Deployment、啟動滾動更新、重啟Pod或使用部署向導部署一個應用等，

Dashboard的認證和授權均可由Kubernetes集群實作，它自身僅是一個代理，所有的相關操作都將發給API Server進行，而非由Dashboard自行完成，目前僅支持使用的認證方式有令牌（token）認證和kubeconfig兩種，在訪問之前都需要準備好相應的認證憑證，

Dashboard部署

由于用到鏡像k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1，是國外的，我們拉取不下來，這里可以使用下面兩種方式，

# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
或者是
# docker pull blwy/kubernetes-dashboard-amd64:v1.10.1

1）這里將資源清單檔案下載本地，編輯使用的鏡像

[root@k8s-master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

2）將鏡像地址進行更改

[root@k8s-master ~]# vim kubernetes-dashboard.yaml
......
    spec:
      containers:
      - name: kubernetes-dashboard
        image: blwy/kubernetes-dashboard-amd64:v1.10.1    #將鏡像地址改為可以下載的地址
        ports:
......

3）部署

[root@k8s-master ~]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created

[root@k8s-master ~]# kubectl get pods -n kube-system
NAME                                  READY   STATUS    RESTARTS   AGE
coredns-bccdc95cf-9gsn8               1/1     Running   0          10d
coredns-bccdc95cf-x7m8g               1/1     Running   0          10d
etcd-k8s-master                       1/1     Running   0          10d
kube-apiserver-k8s-master             1/1     Running   0          10d
kube-controller-manager-k8s-master    1/1     Running   0          10d
kube-flannel-ds-amd64-gg55s           1/1     Running   0          10d
kube-flannel-ds-amd64-ssr7j           1/1     Running   5          10d
kube-flannel-ds-amd64-w6f9h           1/1     Running   4          10d
kube-proxy-77pbc                      1/1     Running   3          10d
kube-proxy-qs655                      1/1     Running   3          10d
kube-proxy-xffq4                      1/1     Running   0          10d
kube-scheduler-k8s-master             1/1     Running   0          10d
kubernetes-dashboard-d977fcf6-d25xz   1/1     Running   0          4s

4）查看svc，并將型別改為NodePort

[root@k8s-master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP   9d
kubernetes-dashboard   ClusterIP   10.99.151.238   <none>        443/TCP                  7m25s

#可以像下面直接打補丁進行更改，
[root@k8s-master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched
[root@k8s-master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP   9d
kubernetes-dashboard   NodePort    10.99.151.238   <none>        443:32058/TCP            8m45s

#或者也可以修改資源清單修改型別為NodePort
[root@k8s-master ~]# vim kubernetes-dashboard.yaml
......
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort    #這里添加型別為NodePort

瀏覽器訪問：https://192.168.1.31:32058 如下圖；建議使用火狐瀏覽器，并在高級選項中添加信任，谷歌會禁止不安全證書訪問，

token認證

集群級別的管理操作依賴于集群管理員權限，例如，內建的cluster-admin集群角色擁有全部權限，創建ServiceAccount并將其系結其上即完成集群管理員授權，而用戶通過相應的ServiceAccount的token資訊完成Dashboard認證也就能扮演起Dashboard介面上的集群管理員角色，例如，下面創建一個名為dashboard-admin的ServiceAccount，并完成集群角色系結：

1）創建serviceaccount資源

[root@k8s-master ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@k8s-master ~]# kubectl get sa/dashboard-admin -n kube-system
NAME              SECRETS   AGE
dashboard-admin   1         15s

2）創建clusterrolebinding，將角色cluster-admin與serviceaccount資源(dashboard-admin)進行系結

[root@k8s-master ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin 
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created

[root@k8s-master ~]# kubectl describe clusterrolebinding/dashboard-admin    #查看系結資訊
Name:         dashboard-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name             Namespace
  ----            ----             ---------
  ServiceAccount  dashboard-admin  kube-system

3）查看token值并進行登錄驗證

[root@k8s-master ~]# ADMIN_SECRET=$(kubectl -n kube-system get secret  |awk '/^dashboard-admin/{print $1}')    #獲取上面創建的dashboard-admin生成的secret的名字

[root@k8s-master ~]# kubectl describe secrets $ADMIN_SECRET -n kube-system |grep ^token    #獲取上面獲取到的secret的token值
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbmZ2NGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTY5MDhiMTgtYzUyYy00NWEwLWIxODEtMTM2OGM4ZGZkMGUwIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.xVHNDKiU7n8fvfN8_5RF3Z6Ppxl-ULk-zYfWywPktJ6mVgtgm4tnAX9_n8zpzHhff1tD4y04Ra7OKvnJTypkI78ELHqggrQxNLggfpbdrWnIif2qIqEbIv5Hay3s4UeOqU2p6Kex4v7UUVtdo781W4rNi7DP2yXKfV5YSTeu6ZMTQiMa3H-O6y-y4sH_ISi_UwiAtHALTJ_OX-j9BzsFIUBhryKnGbOK4ygVmlTA2tWFe8TDUI6xCTjEKSRId3iL_TpKg-uXc652JHnQPYH2ZErojWCbwGR6IqeRTH4kMlAfjvDIeDdT6sSNyjJONpgJQpdYtaGzQiHgE2CW2_q4zQ

輸入上獲取到的token進行登錄，

Kubeconfig認證

kubeconfig是認證資訊承載工具，能夠持久存入秘鑰和證書，或者認證令牌等作為用戶的認證組態檔，為了說明如何配置一個僅具有特定名稱空間管理權限的登錄賬號，這里創建一個新的ServiceAccount用于管理默認的default名稱空間，并將之系結于admin集群角色，

1）創建serviceaccount資源

[root@k8s-master ~]# kubectl create serviceaccount def-ns-admin -n default    #創建sa資源def-ns-admin
serviceaccount/def-ns-admin created

[root@k8s-master ~]# kubectl get sa/def-ns-admin -n default    #查看上面創建的sa資源
NAME           SECRETS   AGE
def-ns-admin   1         19s

2）創建rolebinding，將上面創建的serviceaccount與clusterrole（admin）進行系結

[root@k8s-master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created

[root@k8s-master ~]# kubectl get secret  |grep def-ns    #查看生成的secret
def-ns-admin-token-m2ct6   kubernetes.io/service-account-token   3      106s

[root@k8s-master ~]# kubectl describe secret/def-ns-admin-token-m2ct6    #查看secret資源詳細資訊
Name:         def-ns-admin-token-m2ct6
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: f824dbcd-d661-4776-993a-921042f7e196

Type:  kubernetes.io/service-account-token

Data
====
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg
ca.crt:     1025 bytes

3）初始化集群資訊，提供API Server的URL，以及驗證API Server證書所用到的CA證書等

[root@k8s-master ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://192.168.1.31:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.

[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf   #查看生成的組態檔資訊
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.1.31:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

4）獲取def-ns-admin的token，并將其作為認證資訊，由于直接得到的token是base64編碼格式，故采用“base -d”命令將其解碼

[root@k8s-master ~]# kubectl get secret -n default
NAME                       TYPE                                  DATA   AGE
admin-token-lc826          kubernetes.io/service-account-token   3      16d
def-ns-admin-token-m2ct6   kubernetes.io/service-account-token   3      12m

[root@k8s-master ~]# kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d     #獲取token并將其解碼
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg

[root@k8s-master ~]# DEFNS_ADMIN_TOKEN=$(kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d)    #這里將上面得到的token保存為一個變數，方便呼叫

[root@k8s-master ~]# kubectl config set-credentials def-ns-admin --token=$DEFNS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set.

5）設定cotext串列，定義一個名為def-ns-admin的context

[root@k8s-master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
Context "def-ns-admin@kubernetes" created.

6）最后指定要使用的context為前面定義的名為def-ns-admin的context

[root@k8s-master ~]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf    #查看最終生成的組態檔資訊
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.1.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: def-ns-admin
  name: def-ns-admin@kubernetes
current-context: def-ns-admin@kubernetes
kind: Config
preferences: {}
users:
- name: def-ns-admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg

7）將這個組態檔保存client上，通過加裝該組態檔進行登錄

這里通過測驗可以發現，這里的def-ns-admin用戶登錄進來只能看到default名稱空間的內容，也只能對default名稱空間的資源進行管理，

標籤：其他

上一篇：(十二)Kubernetes 認證、授權與準入控制

下一篇：pod-test