docker筆記30-k8s dashboard認證及分級授權
Dashboard官方地址:
dashbord是作為一個pod來執行,需要serviceaccount賬號來登入。
先給dashboad建立一個專用的認證資訊。
先建立私鑰:
[root@master ~]# cd /etc/kubernetes/pki/ [root@master pki]# (umask 077; openssl genrsa -out dashboard.key 2048) Generating RSA private key, 2048 bit long modulus .............................................................................................................................+++ .................................+++
建立一個證書籤署請求:
[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=zhixin/CN=dashboard"
下面開始簽署證書:
[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365 Signature ok subject=/O=zhixin/CN=dashboard Getting CA Private Key
把上面生成的私鑰和證書建立成secret
[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key secret/dashboard-cert created
[root@master pki]# kubectl get secret -n kube-system |grep dashboard dashboard-cert Opaque 2 5m
建立一個serviceaccount,因為dashborad需要serviceaccount(pod之間登入驗證的使用者)驗證登入。
[root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-system serviceaccount/dashboard-admin created
[root@master pki]# kubectl get sa -n kube-system |grep admin dashboard-admin 1 23s
下面透過clusterrolebinding把dashboard-admin加入到clusterrole裡面。
[root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
這樣serviceaccount 使用者dashboard-admin就擁有了管理所有叢集的許可權。
[root@master pki]# kubectl get secret -n kube-system |grep dashboard dashboard-admin-token-hfxg9 kubernetes.io/service-account-token 3 7m
[root@master pki]# kubectl describe secret dashboard-admin-token-hfxg9 -n kube-system token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbJdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-aIn6LL4aekUwBqbwOLQ
上面的token就是serviceaccount使用者dashboad-admin的認證令牌。
下面開始部署dashboard
[root@master pki]# kubectl apply -f
[root@master ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE kubernetes-dashboard-767dc7d4d-4mq9z 1/1 Running 2 2h
[root@master ~]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21d kubernetes-dashboard ClusterIP 10.104.8.78 <none> 443/TCP 45m
[root@master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system service/kubernetes-dashboard patched
[root@master ~]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21d kubernetes-dashboard NodePort 10.104.8.78 <none> 443:31647/TCP 47m
這樣我們就可以在叢集外部使用31647埠訪問dashboard了,ip就使用node master宿主機的ip。
用瀏覽器開啟:
注意,要用火狐瀏覽器開啟,其他瀏覽器打不開的,注意注意!!!
上面認證的方法,這個使用者能看到所有叢集的所有東西,是個超級管理員。下面我們再設定個使用者,限定它只能訪問default名稱空間。
[root@master ~]# kubectl create serviceaccount def-ns-admin -n default serviceaccount/def-ns-admin created
[root@master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin rolebinding.rbac.authorization.k8s.io/def-ns-admin created
[root@master ~]# kubectl get secret NAME TYPE DATA AGE admin-token-6jpc5 kubernetes.io/service-account-token 3 1d def-ns-admin-token-646gx kubernetes.io/service-account-token 3 2m
[root@master ~]# kubectl describe secret def-ns-admin-token-646gx token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
把上面的token登入到web頁面的令牌,登入進去後只能看default名稱空間的內容。
下面我們再用Kubeconf的方法來驗證登入試試。
[root@master pki]# cd /etc/kubernetes/pki
[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server=" Cluster "kubernetes" set.
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: name: kubernetes contexts: [] current-context: "" kind: Config preferences: {} users: []
[root@master pki]# kubectl get secret NAME TYPE DATA AGE admin-token-6jpc5 kubernetes.io/service-account-token 3 1d def-ns-admin-token-646gx kubernetes.io/service-account-token 3 33m
[root@master pki]# kubectl get secret def-ns-admin-token-646gx -o json "token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRqTHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh4Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="
[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-646gx -o jsonpath={.data.token}|base64 -d)
[root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf User "def-ns-admin" set.
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: name: kubernetes contexts: [] current-context: "" kind: Config preferences: {} users: - name: def-ns-admin
[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf Context "def-ns-admin@kubernetes" created.
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: name: kubernetes contexts: - context: cluster: kubernetes user: def-ns-admin name: def-ns-admin@kubernetes current-context: "" kind: Config preferences: {} users: - name: def-ns-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf Switched to context "def-ns-admin@kubernetes".
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: name: kubernetes contexts: - context: cluster: kubernetes user: def-ns-admin name: def-ns-admin@kubernetes current-context: def-ns-admin@kubernetes kind: Config preferences: {} users: - name: def-ns-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA
這時候/root/def-ns-admin.conf檔案就可以用在dashboard中,用它進行登入了。
總結
1、部署:
kubectl apply -f
2、將service改為NodePort:
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
3、認證:
認證時的賬戶必須為ServiceAccount:作用是被dashboard pod拿來由kubernetes進行認證。
第一種:token方式認證:
a) 建立serviceaccount,根據其管理目標,使用rolebinding或者clusterrolebinding繫結至合理role或者clusterrole;
b)獲取到此serviceAccount的secret,檢視secret的詳細資訊,其中就有token,貼上到web介面的令牌裡面
第二種: kubeconfig方式認證:
把serviceaccount的token封裝為kubeconfig檔案。
a) 建立serviceaccount,根據其管理目標,使用rolebinding或者clusterrolebinding繫結至合理role或者clusterrole;
b)
kubect get secret | awk '/^ServiceAccountName/{print $1}'
KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)
c) 生成kubeconfig檔案
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
kubctl config set-context
kubectl config use-context
kubernetes叢集的管理方式
1、命令式:create,run,expose,delete,edit....
2、命令式配置檔案:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f
3、宣告式配置檔案:apply -f,patch,
一般建議不要混合使用上面三種方式。建議使用apply和patch這樣的命令。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28916011/viewspace-2215214/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 認證授權
- 認證授權方案之JwtBearer認證JWT
- 認證授權方案之授權初識
- 認證授權方案之授權揭祕 (上篇)
- 【認證與授權】Spring Security的授權流程Spring
- Spring Security OAuth2.0認證授權四:分散式系統認證授權SpringOAuth分散式
- OAuth 2.0 授權碼認證OAuth
- 認證授權:IdentityServer4IDEServer
- 認證授權:學習OIDC
- shiro授權和認證(四)
- Ocelot(四)- 認證與授權
- 授權(Authorization)和認證(Authentication)
- Ceph配置與認證授權
- Spring Boot 整合 Shiro實現認證及授權管理Spring Boot
- docker筆記29-k8s認證及serviceaccount、RBACDocker筆記K8S
- 認證授權問題概覽
- OAuth 2.0 授權認證詳解OAuth
- EMQX Cloud 更新:外部認證授權MQCloud
- 細說API - 認證、授權和憑證API
- 認證授權:IdentityServer4 - 各種授權模式應用IDEServer模式
- 【認證與授權】Spring Security系列之認證流程解析Spring
- 【認證與授權】2、基於session的認證方式Session
- Spring Security OAuth2.0認證授權六:前後端分離下的登入授權SpringOAuth後端
- OAuth2.0認證授權workflow探究OAuth
- SpringSecurity認證和授權流程詳解SpringGse
- 認證授權:學習OAuth協議OAuth協議
- 『高階篇』docker之kubernetes搭建叢集新增認證授權(上)(38)Docker
- IdentityServer4 - V4 概念理解及認證授權過程IDEServer
- SpringSecurity(1)---認證+授權程式碼實現SpringGse
- SpringBoot--- 使用SpringSecurity進行授權認證Spring BootGse
- 中介軟體---登陸認證授權---Shiro
- 認證授權的設計與實現
- 基於.NetCore3.1系列 —— 認證授權方案之授權揭祕 (下篇)NetCore
- 微服務下認證授權框架的探討微服務框架
- 聊聊常見的服務(介面)認證授權
- 認證授權:IdentityServer4 - 單點登入IDEServer
- 手把手教你AspNetCore WebApi:認證與授權NetCoreWebAPI
- 認證授權:IdentityServer4 - 資料持久化IDEServer持久化