前文我們瞭解了k8s的訪問控制第三關准入控制相關外掛的使用,回顧請參考:https://www.cnblogs.com/qiuhom-1874/p/14220402.html;今天我們來了解下k8s的web ui 元件的安裝和使用者授權相關話題;
k8s的webui是一個外掛執行在k8s之上,以pod的方式提供服務;它能夠給使用k8s使用者提供一個web皮膚,我們可以基於這個web皮膚來管理k8s叢集;比如建立pod,建立svc,部署應用等等;在部署之前,先說一下dashboard認證過程;dashboard是以pod的形式執行在k8s之上,它本身沒有做訪問許可權認證相關的功能,它只是把使用者的認證資訊代理到k8s叢集上,具體的認證授權還是由k8s的apiserver進行;所以我們登入dashboard必須是k8s上的使用者;其次它是一個pod形式把我們的認證資訊代理到apiserver上,所以我們登入dashboard的使用者必須是一個sa使用者,它不支援常規使用者;簡單講dashboard就是一個代理服務;它把我們所有操作通過https協議代理到apiserver做相應的操作;dashboard是一個多使用者的外掛,它支援同時多個使用者以不同身份登入到dashboard上做操作;對於dashboard本身來講,它就是k8s上的一個web服務以pod形式執行,我們可以通過ingrss把它釋出出來,也可以通過service把它釋出出來;選擇其中一種方式即可;
dashboard部署前準備
dashboard對外提供服務的是一個https服務,如果我們需要將其釋出到叢集外部供網際網路訪問,我們需要把對應域名的證書先用secret資源載入到k8s上,然後在部署dashboard時,引用對應的secret即可;
生成私鑰,證書籤署請求檔案csr,然後傳送給對應CA簽署(如果對應域名的證書都申請好了,這一步直接跳過)
[root@master01 ~]# mkdir dashboard [root@master01 ~]# cd dashboard [root@master01 dashboard]# openssl genrsa -out dashboard.key 2048 Generating RSA private key, 2048 bit long modulus ................................................................................................+++ ..................+++ e is 65537 (0x10001) [root@master01 dashboard]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=test/CN=webui.test.com" [root@master01 dashboard]# ll total 8 -rw-r--r-- 1 root root 920 Jan 2 14:00 dashboard.csr -rw-r--r-- 1 root root 1679 Jan 2 13:59 dashboard.key [root@master01 dashboard]#
使用某個ca簽署對應的證書籤署請求檔案,我這裡直接使用k8s上的CA籤
[root@master01 dashboard]# openssl x509 -req -in dashboard.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dashboard.crt -days 3650 Signature ok subject=/O=test/CN=webui.test.com Getting CA Private Key [root@master01 dashboard]# ll total 12 -rw-r--r-- 1 root root 1005 Jan 2 14:04 dashboard.crt -rw-r--r-- 1 root root 920 Jan 2 14:00 dashboard.csr -rw-r--r-- 1 root root 1679 Jan 2 13:59 dashboard.key [root@master01 dashboard]#
提示:正常情況是找網際網路上的ca簽署,該證書只是用於使用對應域名在瀏覽器上能夠通過https訪問到dashboard;
下載部署清單,檢視對應對應清單中的名稱空間和對應secret的名稱
[root@master01 dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml --2021-01-02 14:14:48-- https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.28.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.28.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 7552 (7.4K) [text/plain] Saving to: ‘recommended.yaml’ 100%[=========================================================================>] 7,552 3.08KB/s in 2.4s 2021-01-02 14:14:52 (3.08 KB/s) - ‘recommended.yaml’ saved [7552/7552] [root@master01 dashboard]# ls dashboard.crt dashboard.csr dashboard.key recommended.yaml [root@master01 dashboard]#
提示:上述是dashboard的部署清單中的secret資源名稱和對應的名稱空間,我們如果需要手動替換自己的證書,就必須提前把對應的證書做成和部署清單中相同名稱空間相同型別和相同名稱的secret資源;
建立kubenetes-dashboard名稱空間,把dashboard.crt和dashboard.key對映為k8s上kubenetes-dashboard名稱空間下的generic型別的secret資源
[root@master01 dashboard]# kubectl create ns kubernetes-dashboard namespace/kubernetes-dashboard created [root@master01 dashboard]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt --from-file=dashboard.key -n kubernetes-dashboard secret/kubernetes-dashboard-certs created [root@master01 dashboard]# kubectl get secret -n kubernetes-dashboard NAME TYPE DATA AGE default-token-vcw5h kubernetes.io/service-account-token 3 2m31s kubernetes-dashboard-certs Opaque 2 12s [root@master01 dashboard]#
應用dashboard部署資源清單
[root@master01 dashboard]# kubectl apply -f recommended.yaml Warning: resource namespaces/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically. namespace/kubernetes-dashboard configured serviceaccount/kubernetes-dashboard created service/kubernetes-dashboard created Warning: resource secrets/kubernetes-dashboard-certs is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically. secret/kubernetes-dashboard-certs configured secret/kubernetes-dashboard-csrf created secret/kubernetes-dashboard-key-holder created configmap/kubernetes-dashboard-settings created role.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created service/dashboard-metrics-scraper created deployment.apps/dashboard-metrics-scraper created [root@master01 dashboard]#
線上編輯對應service的配置,將clusterip型別更改為nodeport型別
提示:更改為nodeport型別service,對應叢集外部的客戶端才可以正常訪問;
檢視對應名稱空間下的pod是否啟動起來?
[root@master01 ~]# kubectl get all -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE pod/dashboard-metrics-scraper-79c5968bdc-tc79t 1/1 Running 0 6m56s pod/kubernetes-dashboard-7448ffc97b-v98gk 1/1 Running 0 6m56s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/dashboard-metrics-scraper ClusterIP 10.103.202.122 <none> 8000/TCP 6m56s service/kubernetes-dashboard NodePort 10.108.57.122 <none> 443:31635/TCP 6m57s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/dashboard-metrics-scraper 1/1 1 1 6m56s deployment.apps/kubernetes-dashboard 1/1 1 1 6m56s NAME DESIRED CURRENT READY AGE replicaset.apps/dashboard-metrics-scraper-79c5968bdc 1 1 1 6m56s replicaset.apps/kubernetes-dashboard-7448ffc97b 1 1 1 6m56s [root@master01 ~]#
提示:可以看到對應資源都已經跑起來了,對應service暴露的埠是34635埠,我們可以訪問k8s叢集任意節點的31635埠就能訪問到dashboard,如果使用域名訪問,請注意對應域名要解析到對應k8s叢集上的任意一個節點ip上;
訪問dashboard
提示:這裡要用https訪問,因為對應服務是提供的https服務;這裡提示我們證書不安全,是因為對應證書不是瀏覽器認可的ca頒發,所以我們需要自己手動信任下;
提示:能夠看到上面的頁面,說明dashboard就執行起來了,接下我們要建立一個賬號來登入dashboard;
建立一個sa賬號
[root@master01 ~]# kubectl create serviceaccount webui-cluster-admin -n kubernetes-dashboard serviceaccount/webui-cluster-admin created [root@master01 ~]# kubectl get sa -n kubernetes-dashboard NAME SECRETS AGE default 1 29m kubernetes-dashboard 1 17m webui-cluster-admin 1 11s [root@master01 ~]# kubectl describe sa webui-cluster-admin -n kubernetes-dashboard Name: webui-cluster-admin Namespace: kubernetes-dashboard Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: webui-cluster-admin-token-bxl2z Tokens: webui-cluster-admin-token-bxl2z Events: <none> [root@master01 ~]#
授權對應sa賬號為cluster-admin角色
[root@master01 ~]# kubectl create clusterrolebinding webui-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:webui-cluster-admin clusterrolebinding.rbac.authorization.k8s.io/webui-cluster-admin created [root@master01 ~]# kubectl get clusterrolebinding |grep webui webui-cluster-admin ClusterRole/cluster-admin 41s [root@master01 ~]# kubectl describe clusterrolebinding webui-cluster-admin Name: webui-cluster-admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount webui-cluster-admin kubernetes-dashboard [root@master01 ~]#
提示:指定serviceaccount需要指定對應sa的名稱空間加“:”對應sa的名稱;
使用上面對應sa賬號對應的secret中的token登入dashboard
登入dashboard
提示:預設登入到dashboard會是在default名稱空間,我們可以選擇上面的名稱空間檢視對應名稱空間下的資源;
建立某個名稱空間下的管理員
[root@master01 ~]# kubectl create serviceaccount myns-admin -n myns serviceaccount/myns-admin created [root@master01 ~]# kubectl create rolebinding myns-admin --clusterrole=admin --serviceaccount=myns:myns-admin -n myns rolebinding.rbac.authorization.k8s.io/myns-admin created [root@master01 ~]#
提示:rolebinding需要指定名稱空間,否則不指定預設表示default名稱空間;
檢視對應賬號的token
[root@master01 ~]# kubectl describe sa -n myns
Name: default
Namespace: myns
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-n6tg5
Tokens: default-token-n6tg5
Events: <none>
Name: myns-admin
Namespace: myns
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: myns-admin-token-p6gh8
Tokens: myns-admin-token-p6gh8
Events: <none>
[root@master01 ~]# kubectl describe secret myns-admin-token-p6gh8 -n myns
Name: myns-admin-token-p6gh8
Namespace: myns
Labels: <none>
Annotations: kubernetes.io/service-account.name: myns-admin
kubernetes.io/service-account.uid: ebaed1a9-4631-42cb-8af9-a14fa35a7098
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15bnMtYWRtaW4tdG9rZW4tcDZnaDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibXlucy1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImViYWVkMWE5LTQ2MzEtNDJjYi04YWY5LWExNGZhMzVhNzA5OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpteW5zOm15bnMtYWRtaW4ifQ.JuZ9WsojEfJai-Z1uLH7AIS-kLyqqln9POzEEoV_RTBKGO4NbtDJwMOw3z4SVeLwdCSiBefh-pD03DCnHmZ-HunrUPXBix2iKRgD42fkQ2L8cZzl8LGEw88jK5mUpSOF2si0wibc1cn7Gtrc5LqMiVtOgLoBMhEXaX2_RDUXj0Q8FtNb_srIcjQe__gXsMGmXxhHuU629IVk7fM99FvHzlDOyLj4goaydMw7F9-JFpL3I-ll2lq46goKDEwB2pMEz_qvsVFHvILNzg318TilMSK4VeMpKUbje6eovvs2IYSMCfVRBtvlpsv3KixYONai1AvYRQz_iISwKzI5JWO4hw
[root@master01 ~]#
使用對應的token登入dashboard
提示:這裡預設登入進來是default名稱空間,對應賬號沒有許可權,所以它會提示我們沒有許可權檢視當前名稱空間下的資源;
切換到myns名稱空間
提示:到此對應使用者就能在myns名稱空間下做響應的管理操作了;
製作kubeconfig檔案登入dashboard
[root@master01 ~]# kubectl config set-cluster mykube --server="https://192.168.0.41:6443" --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/test-mykube.config
Cluster "mykube" set.
[root@master01 ~]# kubectl config set-credentials webui-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ3ZWJ1aS1jbHVzdGVyLWFkbWluLXRva2VuLWJ4bDJ6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6IndlYnVpLWNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NDYwNWFhMi1kZmI1LTRlZjItYTQ3NC0yMzczOGUwZmNjZDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6d2VidWktY2x1c3Rlci1hZG1pbiJ9.lIEEMbIyYDlWXxG_xSWcY595Ai3yCYTAKEYQVwybysBfNTM9ksJOhqep9M9PF6bfUGIpbFr-Y75gvAmOprrYICv-W7RKUQxMq1s_9mIY7ATlWh3xiPOjYoT9K7JWXNpFOPsl9eEOY2j_VJE7hK_7mzMg7ASPTWEbQS1YkXvoBh3nG_SDBbKgqs-SiQ5_yhx0QFK-PSdFUiBhGRq_TvqbrmZeAi1lJ6tNODcUW7zikSwO53wQDJHgjdYiYHhqm0O3GysBYp6JzgkryXdmjLri6NXvWV9qTc201SL7xrF6S09vSFQaox479r5A5qat9DJn0qq4YEUFKXzweuyxjJfdwA --kubeconfig=/tmp/test-mykube.config
User "webui-admin" set.
[root@master01 ~]# kubectl config set-context webui-admin@mykube --cluster=mykube --user=webui-admin --kubeconfig=/tmp/test-mykube.config
Context "webui-admin@mykube" created.
[root@master01 ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.0.41:6443
name: mykube
contexts:
- context:
cluster: mykube
user: webui-admin
name: webui-admin@mykube
current-context: ""
kind: Config
preferences: {}
users:
- name: webui-admin
user:
token: REDACTED
[root@master01 ~]# kubectl config use-context webui-admin@mykube --kubeconfig=/tmp/test-mykube.config
Switched to context "webui-admin@mykube".
[root@master01 ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.0.41:6443
name: mykube
contexts:
- context:
cluster: mykube
user: webui-admin
name: webui-admin@mykube
current-context: webui-admin@mykube
kind: Config
preferences: {}
users:
- name: webui-admin
user:
token: REDACTED
[root@master01 ~]#
提示:在設定使用者時,選擇對應使用者的token資訊即可;
把對應配置檔案匯出,在瀏覽器上使用對應檔案登入dashboard
提示:此時登入到dashboard使用者就是對應配置檔案中的token對應的sa使用者;到此dashboard就搭建好了。。