Kubernetes Dashboard 设置用户密码登陆
k8s默认dashboard使用的是token认证,比较麻烦不方便记忆。我们可以配置一个用户密码用于登陆k8s dashboard界面
Kubernetes Dashboard 设置用户密码登陆
2021年1月24日
仪表板是基于Web的Kubernetes用户界面。您可以使用仪表板将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障排除,并管理集群本身及其伴随资源。您可以使用仪表板来概述群集上运行的应用程序,以及创建或修改单个Kubernetes资源(例如部署,作业,守护进程等)。例如,您可以使用部署向导扩展部署,启动滚动更新,重新启动Pod或部署新应用程序。
本次文档测试版本1.15,目前从v1.11-v1.20版本都可以进行使用,二进制安装参考我这个就可以,kubeadm请参考下面的配置
默认Kubernetes UI界面是使用token登陆,但是由于token相比较麻烦。我们这里使用密码登陆
适用于以下环境
Dashboard搭建
创建命名空间
[root@k8s-01 dashboard]# kubectl create ns kubernetes-dashboard
创建Dashboard rbac文件
[root@k8s-01 dashboard]# kubectl apply -f http://down.i4t.com/rbac-dashboard.yaml clusterrolebinding.rbac.authorization.k8s.io/admin created serviceaccount/admin created
创建dashboard
[root@k8s-01 dashboard]# kubectl apply -f http://down.i4t.com/dashboard-k8s.yaml
查看pod和svc
[root@k8s-01 dashboard]# kubectl get pod,svc -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE pod/dashboard-metrics-scraper-78f5d9f487-xs9hj 1/1 Running 0 25s pod/kubernetes-dashboard-54445cdd96-9qbxt 1/1 Running 0 25s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/dashboard-metrics-scraper ClusterIP 10.102.198.67 8000/TCP 25s service/kubernetes-dashboard NodePort 10.110.102.186 443:30000/TCP 26s
查看secret
[root@k8s-01 dashboard]# kubectl -n kube-system get secret|grep admin-token admin-token-ftpp5 kubernetes.io/service-account-token 3 16m
获取token
[root@k8s-01 dashboard]# kubectl -n kube-system get secret admin-token-ftpp5 -o jsonpath={.data.token}|base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikp4OS1oTzdRWW5ZOV9ianlma3ZhUkJfTndQclhQOWRrNEdSc19KM09NM00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1mdHBwNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImMzYWVlMmQ1LTcwYzEtNGZiYi04ODE0LTc3MjllMmNhY2UwOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.XvNLLc8MXYcEW8yzW9aKyqUFEMf3vuvhbML4Fk_34RuD8980ZRRoqgEjW4usWEMvh7ftdxKo4fnz6tJjAfF0WgAF7E8VnS2Cyt_nC6irjQbd61rmdf42qPtSCrgwlhLfCjpse9N_iEvPhXp_1J-sN0aSi3lsjr4qSHhLzNZphwW6LvWO0EGVoubQyfEjKvIWaXTtqS1xxVkl-NcAqX1HIlUJqErLyAnwimQVqu-xb5K--mkCsHlMbyFV4lXtFDM5akctd92w-wnIh_uLoo1srzD-j8CvVmF0u2046mBI-d47-hVMrBy-eU_qi_gP5_TPafoJUy4u6icSjBzL5JzpgQ
访问测试
接下来进行修改账号密码登录
一、二进制Kubernetes搭建修改
1.首先确保K8S集群内部一切正常
[root@i4t ~]# kubectl get node NAME STATUS ROLES AGE VERSION yzsjhl82-138.opi.com Ready 22h v1.13.5 yzsjhl82-139.opi.com Ready 22h v1.13.5 yzsjhl82-140.opi.com Ready 22h v1.13.5 yzsjhl82-142.opi.com Ready 22h v1.13.5 [root@i4t ~]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE default busybox 1/1 Running 23 22h kube-system coredns-d7964c8db-2t8wl 1/1 Running 1 22h kube-system coredns-d7964c8db-sbztp 1/1 Running 1 22h kube-system kube-flannel-ds-amd64-cv5hx 1/1 Running 2 22h kube-system kube-flannel-ds-amd64-f2f7x 1/1 Running 2 22h kube-system kube-flannel-ds-amd64-vmm74 1/1 Running 2 22h kube-system kube-flannel-ds-amd64-zgfmq 1/1 Running 1 22h
2.配置首先需要说明一点,默认kubernetes Dashboard是需要token登陆。不方便登记,我们可以让dashboard使用用户密码验证登陆
需要注意几点
[一] 在master上节点上创建文件(用户密码文件)
cat /etc/kubernetes/basic_auth_file admin,admin,1 cyh,cyh,2 #前面为用户,后面为密码,数字为用户ID不可重复,经过测试账号密码要相同
[二] 在所有master的apiserver启动文件添加一行配置
vim /etc/systemd/system/kube-apiserver.service --basic-auth-file=/etc/kubernetes/basic_auth_file #启动路径可能不一样,请安装实际情况进行修改 #添加完毕后重启api-server
这里需要说明,以上操作在所有master上执行,在所有节点操作是为了防止有pod飘到非master节点,当然也可以做pod亲和力
[三]创建yaml文件
wget http://down.i4t.com/k8s-passwd-dashboard.yaml| kubectl apply -f k8s-passwd-dashboard.yaml #创建绑定,将用户和权限绑定 kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin
为了防止地址失效,我这里在手动cp一份
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
1. ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
1. ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
1. Allow Dashboard to create 'kubernetes-dashboard2-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
1. Allow Dashboard to create 'kubernetes-dashboard2-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
1. Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
1. Allow Dashboard to get and update 'kubernetes-dashboard2-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
1. Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
1. ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.8.3
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --authentication-mode=basic
1. Uncomment the following line to manually specify Kubernetes API server Host
1. If not specified, Dashboard will attempt to auto discover the API server and connect
1. to it. Uncomment only if the default does not work.
1. - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
1. Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
1. Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
1. ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 80
targetPort: 8443
nodePort: 30000
selector:
k8s-app: kubernetes-dashboard
我们可以用过下面命令进行检查kubectl get pod,svc -n kube-system
这里要说一点,我这里的镜像使用的是v1.8.3如果觉得版本低可以更高版本的。
访问dashboard界面
由于没有ingress,使用的是IP访问。所以会提示我们证书不安全,我们这里点击忽略直接访问。个别浏览器会造成打不开的,建议使用火狐
访问地址:https://master-IP:30000
在任意一台master上访问即可
这里需要我们输入api-server指定的文件里面的账号密码
跳过是没有权限查看k8s里面所有的信息
二、Kubeadm 环境配置
在所有的master节点配置用户名密码
echo "admin,admin,1" > /etc/kubernetes/pki/basic_auth_file
修改所有apiserver
vim /etc/kubernetes/manifests/kube-apiserver.yaml
#添加下面参数 (spec.containers.command下添加)
- --basic-auth-file=/etc/kubernetes/pki/basic_auth_file
#注意格式
修改完毕后api server会自动重启,等待重启成功我们访问dashboard即可
[root@k8s-01 dashboard]# kubectl get pod -n kube-system |grep apiserver kube-apiserver-k8s-01 1/1 Running 0 24s kube-apiserver-k8s-02 1/1 Running 0 44s kube-apiserver-k8s-03 1/1 Running 0 50s
apiserver重启完毕后,添加dashboard Deployment配置
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=21600 #新增行 单位秒
- --authentication-mode=basic #新增行
也可以使用我提供的yaml,直接创建
kubectl apply -f http://down.i4t.com/dashboard-login.yaml
创建集群admin角色绑定 (否则无法登陆Dashboard)
kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin
查看绑定
[root@k8s-01 dashboard]# kubectl get clusterrolebinding login-on-dashboard-with-cluster-admin NAME ROLE AGE login-on-dashboard-with-cluster-admin ClusterRole/cluster-admin 2m23s
创建
[root@k8s-01 dashboard]# kubectl apply -f k8s-dashboard.yaml namespace/kubernetes-dashboard unchanged serviceaccount/kubernetes-dashboard unchanged service/kubernetes-dashboard unchanged secret/kubernetes-dashboard-certs unchanged secret/kubernetes-dashboard-csrf configured Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply secret/kubernetes-dashboard-key-holder configured configmap/kubernetes-dashboard-settings unchanged role.rbac.authorization.k8s.io/kubernetes-dashboard unchanged clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged deployment.apps/kubernetes-dashboard configured service/dashboard-metrics-scraper unchanged deployment.apps/dashboard-metrics-scraper unchanged
相关文章:
- Kubernetes 1.14 二进制集群安装
- Kubenetes 1.13.5 集群二进制安装
- Kuerbernetes 1.11 集群二进制安装
- kubeadm部署k8s集群
