kubernetes dashboard kubeconfig认证(35)

2023年 7月 16日 59.8k 0

此刻如果不希望使用token认证,而是希望通过config文件认证,就需要创建一个config文件

但是仍然需要创建serviceaccount,并且创建rolebinding或者clusterrole绑定,并且配置,在配置中还需要将此前的token字段解码放进去,也就是说使用config文件认证就需要先创建token认证,在token认证之上做的config认证。而后完成通过提交一个配置文件来完成登陆验证。

1,配置config

生成kubeconfig。在/etc/kubernetes/pki/下,并且使用kubernetes的ca证书来做k8s的认证。另外存放到/root/linuxea-default-admin.conf

[root@linuxea pki]# kubectl config set-cluster kuberntes --certificate-authority=./ca.crt --server="https://10.10.240.161:6443" --embed-certs=true --kubeconfig=/root/linuxea-default-admin.conf
Cluster "kuberntes" set.
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://10.10.240.161:6443
  name: kuberntes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

2,配置credentials

credentials是可以使用证书和token认证的,这里使用token进行认证

  • 将之前的kube-system dashboard-admin-token-vc7cv中token来创建credentials。这段做了base64 -d的解码
[root@linuxea ~]# kubectl get secret -n kube-system dashboard-admin-token-vc7cv  -o jsonpath={.data.token} |base64 -d

生成credentials,并且使用此前生成好的token,将这个token包含进来

  • dashboard-admin-token名称并不作为登陆的用户名称,创建serviceaccount的dashboard-admin名称才是真正与api server认证的名称
[root@linuxea pki]# kubectl config set-credentials dashboard-admin-token --token=$(kubectl get secret -n kube-system dashboard-admin-token-vc7cv  -o jsonpath={.data.token} |base64 -d) --kubeconfig=/root/linuxea-default-admin.conf
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://10.10.240.161:6443
  name: kuberntes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg

3,配置context

配置context,指明集群--cluster=kuberntes,指定dashboard-admin-token用户到/root/linuxea-default-admin.conf配置文件

[root@linuxea pki]# kubectl config set-context dashboard-admin-token@kubernetes --cluster=kubernetes --user=dashboard-admin-token --kubeconfig=/root/linuxea-default-admin.conf 
Context "dashboard-admin-token@kubernetes" created.
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://10.10.240.161:6443
  name: kuberntes
contexts:
- context:
    cluster: kubernetes
    user: dashboard-admin-token
  name: dashboard-admin-token@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg

4,配置use-context

将dashboard-admin-token@kubernetes作为/root/linuxea-default-admin.conf文件中的当前用户

[root@linuxea pki]# kubectl config use-context dashboard-admin-token@kubernetes --kubeconfig=/root/linuxea-default-admin.conf 
Switched to context "dashboard-admin-token@kubernetes".
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://10.10.240.161:6443
  name: kuberntes
contexts:
- context:
    cluster: kubernetes
    user: dashboard-admin-token
  name: dashboard-admin-token@kubernetes
current-context: dashboard-admin-token@kubernetes
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg

而后将/root/linuxea-default-admin.conf 文件复制到需要登陆的主机,即可使用文件登陆dashboard-4.png

相关文章

LeaferJS 1.0 重磅发布:强悍的前端 Canvas 渲染引擎
10分钟搞定支持通配符的永久有效免费HTTPS证书
300 多个 Microsoft Excel 快捷方式
一步步配置基于kubeadmin的kubevip高可用
istio全链路传递cookie和header灰度
REST Web 服务版本控制

发布评论