Kubernetes Dashboard 设置用户密码登陆

2023年 5月 4日 90.8k 0

k8s默认dashboard使用的是token认证,比较麻烦不方便记忆。我们可以配置一个用户密码用于登陆k8s dashboard界面
Kubernetes Dashboard 设置用户密码登陆
2021年1月24日

仪表板是基于Web的Kubernetes用户界面。您可以使用仪表板将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障排除,并管理集群本身及其伴随资源。您可以使用仪表板来概述群集上运行的应用程序,以及创建或修改单个Kubernetes资源(例如部署,作业,守护进程等)。例如,您可以使用部署向导扩展部署,启动滚动更新,重新启动Pod或部署新应用程序。

本次文档测试版本1.15,目前从v1.11-v1.20版本都可以进行使用,二进制安装参考我这个就可以,kubeadm请参考下面的配置

image_1dba6f63e1u87mic7sp10kma953n.png-47.8kB

默认Kubernetes UI界面是使用token登陆,但是由于token相比较麻烦。我们这里使用密码登陆

适用于以下环境

  • Kubernetes 二进制安装
  • Kubeadm
  • Dashboard搭建

    创建命名空间

    [root@k8s-01 dashboard]# kubectl create ns kubernetes-dashboard
    

    创建Dashboard rbac文件

    [root@k8s-01 dashboard]# kubectl apply -f http://down.i4t.com/rbac-dashboard.yaml
    clusterrolebinding.rbac.authorization.k8s.io/admin created
    serviceaccount/admin created
    

    创建dashboard

    [root@k8s-01 dashboard]# kubectl apply -f http://down.i4t.com/dashboard-k8s.yaml
    

    查看pod和svc

    [root@k8s-01 dashboard]# kubectl get pod,svc -n kubernetes-dashboard 
    NAME                                             READY   STATUS    RESTARTS   AGE
    pod/dashboard-metrics-scraper-78f5d9f487-xs9hj   1/1     Running   0          25s
    pod/kubernetes-dashboard-54445cdd96-9qbxt        1/1     Running   0          25s
    
    NAME                                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
    service/dashboard-metrics-scraper   ClusterIP   10.102.198.67            8000/TCP        25s
    service/kubernetes-dashboard        NodePort    10.110.102.186           443:30000/TCP   26s
    

    查看secret

    [root@k8s-01 dashboard]# kubectl -n kube-system get secret|grep admin-token
    admin-token-ftpp5                                kubernetes.io/service-account-token   3      16m
    

    获取token

    [root@k8s-01 dashboard]#  kubectl -n kube-system get secret admin-token-ftpp5 -o jsonpath={.data.token}|base64 -d
    eyJhbGciOiJSUzI1NiIsImtpZCI6Ikp4OS1oTzdRWW5ZOV9ianlma3ZhUkJfTndQclhQOWRrNEdSc19KM09NM00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1mdHBwNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImMzYWVlMmQ1LTcwYzEtNGZiYi04ODE0LTc3MjllMmNhY2UwOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.XvNLLc8MXYcEW8yzW9aKyqUFEMf3vuvhbML4Fk_34RuD8980ZRRoqgEjW4usWEMvh7ftdxKo4fnz6tJjAfF0WgAF7E8VnS2Cyt_nC6irjQbd61rmdf42qPtSCrgwlhLfCjpse9N_iEvPhXp_1J-sN0aSi3lsjr4qSHhLzNZphwW6LvWO0EGVoubQyfEjKvIWaXTtqS1xxVkl-NcAqX1HIlUJqErLyAnwimQVqu-xb5K--mkCsHlMbyFV4lXtFDM5akctd92w-wnIh_uLoo1srzD-j8CvVmF0u2046mBI-d47-hVMrBy-eU_qi_gP5_TPafoJUy4u6icSjBzL5JzpgQ
    

    访问测试image.pngimage.png

    接下来进行修改账号密码登录

    一、二进制Kubernetes搭建修改

    1.首先确保K8S集群内部一切正常

    [root@i4t ~]# kubectl get node
    NAME                   STATUS   ROLES    AGE   VERSION
    yzsjhl82-138.opi.com   Ready       22h   v1.13.5
    yzsjhl82-139.opi.com   Ready       22h   v1.13.5
    yzsjhl82-140.opi.com   Ready       22h   v1.13.5
    yzsjhl82-142.opi.com   Ready       22h   v1.13.5
    
    [root@i4t ~]# kubectl get pod --all-namespaces
    NAMESPACE     NAME                          READY   STATUS    RESTARTS   AGE
    default       busybox                       1/1     Running   23         22h
    kube-system   coredns-d7964c8db-2t8wl       1/1     Running   1          22h
    kube-system   coredns-d7964c8db-sbztp       1/1     Running   1          22h
    kube-system   kube-flannel-ds-amd64-cv5hx   1/1     Running   2          22h
    kube-system   kube-flannel-ds-amd64-f2f7x   1/1     Running   2          22h
    kube-system   kube-flannel-ds-amd64-vmm74   1/1     Running   2          22h
    kube-system   kube-flannel-ds-amd64-zgfmq   1/1     Running   1          22h
    

    2.配置首先需要说明一点,默认kubernetes Dashboard是需要token登陆。不方便登记,我们可以让dashboard使用用户密码验证登陆
    image_1dba4dg9m19p8bed1qgi1km28hf9.png-69.3kB
    需要注意几点

  • 修改apiserver
  • 创建用户密码文件
  • 创建yaml文件
  • [一] 在master上节点上创建文件(用户密码文件)

    cat /etc/kubernetes/basic_auth_file
    admin,admin,1
    cyh,cyh,2
    
    #前面为用户,后面为密码,数字为用户ID不可重复,经过测试账号密码要相同
    

    [二] 在所有master的apiserver启动文件添加一行配置

    vim /etc/systemd/system/kube-apiserver.service
    
    --basic-auth-file=/etc/kubernetes/basic_auth_file 
    #启动路径可能不一样,请安装实际情况进行修改
    #添加完毕后重启api-server
    

    这里需要说明,以上操作在所有master上执行,在所有节点操作是为了防止有pod飘到非master节点,当然也可以做pod亲和力

    [三]创建yaml文件

    wget http://down.i4t.com/k8s-passwd-dashboard.yaml| kubectl apply -f k8s-passwd-dashboard.yaml
    
    #创建绑定,将用户和权限绑定
    kubectl create clusterrolebinding  login-on-dashboard-with-cluster-admin  --clusterrole=cluster-admin --user=admin
    

    为了防止地址失效,我这里在手动cp一份

    # ------------------- Dashboard Secret ------------------- #
    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard-certs
      namespace: kube-system
    type: Opaque
    
    ---
    # ------------------- Dashboard Service Account ------------------- #
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    
    ---
    # ------------------- Dashboard Role & Role Binding ------------------- #
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: kubernetes-dashboard-minimal
      namespace: kube-system
    rules:
      # Allow Dashboard to create 'kubernetes-dashboard2-key-holder' secret.
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["create"]
      # Allow Dashboard to create 'kubernetes-dashboard2-settings' config map.
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["create"]
      # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
    - apiGroups: [""]
      resources: ["secrets"]
      resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
      verbs: ["get", "update", "delete"]
      # Allow Dashboard to get and update 'kubernetes-dashboard2-settings' config map.
    - apiGroups: [""]
      resources: ["configmaps"]
      resourceNames: ["kubernetes-dashboard-settings"]
      verbs: ["get", "update"]
      # Allow Dashboard to get metrics from heapster.
    - apiGroups: [""]
      resources: ["services"]
      resourceNames: ["heapster"]
      verbs: ["proxy"]
    - apiGroups: [""]
      resources: ["services/proxy"]
      resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
      verbs: ["get"]
    
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: kubernetes-dashboard-minimal
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: kubernetes-dashboard-minimal
    subjects:
    - kind: ServiceAccount
      name: kubernetes-dashboard
      namespace: kube-system
    
    ---
    # ------------------- Dashboard Deployment ------------------- #
    kind: Deployment
    apiVersion: apps/v1beta2
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    spec:
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          k8s-app: kubernetes-dashboard
      template:
        metadata:
          labels:
            k8s-app: kubernetes-dashboard
        spec:
          containers:
          - name: kubernetes-dashboard
            image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.8.3
            ports:
            - containerPort: 8443
              protocol: TCP
            args:
              - --auto-generate-certificates
              - --authentication-mode=basic
              # Uncomment the following line to manually specify Kubernetes API server Host
              # If not specified, Dashboard will attempt to auto discover the API server and connect
              # to it. Uncomment only if the default does not work.
              # - --apiserver-host=http://my-address:port
            volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
            livenessProbe:
              httpGet:
                scheme: HTTPS
                path: /
                port: 8443
              initialDelaySeconds: 30
              timeoutSeconds: 30
          volumes:
          - name: kubernetes-dashboard-certs
            secret:
              secretName: kubernetes-dashboard-certs
          - name: tmp-volume
            emptyDir: {}
          serviceAccountName: kubernetes-dashboard
          # Comment the following tolerations if Dashboard must not be deployed on master
          tolerations:
          - key: node-role.kubernetes.io/master
            effect: NoSchedule
    
    ---
    # ------------------- Dashboard Service ------------------- #
    
    kind: Service
    apiVersion: v1
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kube-system
    spec:
      type: NodePort
      ports:
        - port: 80
          targetPort: 8443
          nodePort: 30000
      selector:
        k8s-app: kubernetes-dashboard
    

    我们可以用过下面命令进行检查kubectl get pod,svc -n kube-systemui.png-296.6kB
    这里要说一点,我这里的镜像使用的是v1.8.3如果觉得版本低可以更高版本的。1
    访问dashboard界面
    由于没有ingress,使用的是IP访问。所以会提示我们证书不安全,我们这里点击忽略直接访问。个别浏览器会造成打不开的,建议使用火狐
    访问地址:https://master-IP:30000

    在任意一台master上访问即可

    3.png-223.7kB
    这里需要我们输入api-server指定的文件里面的账号密码

    跳过是没有权限查看k8s里面所有的信息

    image_1dba6516pomk191eenjeg31js22l.png-85.2kB
    4.png-450.2kB

    二、Kubeadm 环境配置

    在所有的master节点配置用户名密码

    echo "admin,admin,1" > /etc/kubernetes/pki/basic_auth_file
    

    修改所有apiserver

    vim /etc/kubernetes/manifests/kube-apiserver.yaml
    
    #添加下面参数  (spec.containers.command下添加)
        - --basic-auth-file=/etc/kubernetes/pki/basic_auth_file
    #注意格式
    

    修改完毕后api server会自动重启,等待重启成功我们访问dashboard即可

    [root@k8s-01 dashboard]# kubectl get pod -n kube-system |grep apiserver
    kube-apiserver-k8s-01            1/1     Running   0          24s
    kube-apiserver-k8s-02            1/1     Running   0          44s
    kube-apiserver-k8s-03            1/1     Running   0          50s
    

    apiserver重启完毕后,添加dashboard Deployment配置

              args:
                - --auto-generate-certificates
                - --namespace=kubernetes-dashboard
                - --token-ttl=21600 #新增行 单位秒
                - --authentication-mode=basic #新增行
    

    也可以使用我提供的yaml,直接创建

    kubectl apply -f http://down.i4t.com/dashboard-login.yaml
    

    创建集群admin角色绑定 (否则无法登陆Dashboard)

    kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin
    

    查看绑定

    [root@k8s-01 dashboard]# kubectl get clusterrolebinding login-on-dashboard-with-cluster-admin
    NAME                                    ROLE                        AGE
    login-on-dashboard-with-cluster-admin   ClusterRole/cluster-admin   2m23s
    

    创建

    [root@k8s-01 dashboard]# kubectl apply -f k8s-dashboard.yaml 
    namespace/kubernetes-dashboard unchanged
    serviceaccount/kubernetes-dashboard unchanged
    service/kubernetes-dashboard unchanged
    secret/kubernetes-dashboard-certs unchanged
    secret/kubernetes-dashboard-csrf configured
    Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
    secret/kubernetes-dashboard-key-holder configured
    configmap/kubernetes-dashboard-settings unchanged
    role.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
    clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
    rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
    clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
    deployment.apps/kubernetes-dashboard configured
    service/dashboard-metrics-scraper unchanged
    deployment.apps/dashboard-metrics-scraper unchanged
    

    image.png

    相关文章:

    1. Kubernetes 1.14 二进制集群安装
    2. Kubenetes 1.13.5 集群二进制安装
    3. Kuerbernetes 1.11 集群二进制安装
    4. kubeadm部署k8s集群

    相关文章

    KubeSphere 部署向量数据库 Milvus 实战指南
    探索 Kubernetes 持久化存储之 Longhorn 初窥门径
    征服 Docker 镜像访问限制!KubeSphere v3.4.1 成功部署全攻略
    那些年在 Terraform 上吃到的糖和踩过的坑
    无需 Kubernetes 测试 Kubernetes 网络实现
    Kubernetes v1.31 中的移除和主要变更

    发布评论