使用cluster-admin权限登录到Kubernetes Dashboard
导言
在7系列之前,可以通过执行kubectl proxy命令并在浏览器中访问127.0.0.1:8001/ui来轻松使用WebUI。
然而,自Kubernetes 1.8版本起,已经加入了认证系统,如果不经过认证,将无法使用WebUI。
访问WebUI时,将显示以下类似的认证界面。
权限被细分并且默认有以下类型。
$ kubectl -n kube-system get secret
NAME TYPE DATA AGE
attachdetach-controller-token-cdqt4 kubernetes.io/service-account-token 3 45m
certificate-controller-token-7qjc4 kubernetes.io/service-account-token 3 45m
cloud-provider-token-gn4gq kubernetes.io/service-account-token 3 45m
clusterrole-aggregation-controller-token-tl2wc kubernetes.io/service-account-token 3 45m
cronjob-controller-token-prhf8 kubernetes.io/service-account-token 3 45m
daemon-set-controller-token-rr99v kubernetes.io/service-account-token 3 45m
default-token-xbqb8 kubernetes.io/service-account-token 3 45m
deployment-controller-token-76t44 kubernetes.io/service-account-token 3 45m
disruption-controller-token-ttfnq kubernetes.io/service-account-token 3 45m
endpoint-controller-token-7q884 kubernetes.io/service-account-token 3 45m
event-exporter-sa-token-6n4c6 kubernetes.io/service-account-token 3 45m
fluentd-gcp-token-c77bf kubernetes.io/service-account-token 3 45m
generic-garbage-collector-token-pk9j7 kubernetes.io/service-account-token 3 45m
heapster-token-kgzhn kubernetes.io/service-account-token 3 45m
horizontal-pod-autoscaler-token-cfm5c kubernetes.io/service-account-token 3 45m
job-controller-token-tmdx5 kubernetes.io/service-account-token 3 45m
kube-dns-autoscaler-token-m59qq kubernetes.io/service-account-token 3 45m
kube-dns-token-g9bb9 kubernetes.io/service-account-token 3 45m
kubernetes-dashboard-certs Opaque 0 45m
kubernetes-dashboard-key-holder Opaque 2 45m
kubernetes-dashboard-token-kw59t kubernetes.io/service-account-token 3 45m
metadata-proxy-token-s8f5v kubernetes.io/service-account-token 3 45m
metrics-server-token-w9j4f kubernetes.io/service-account-token 3 45m
namespace-controller-token-9qddf kubernetes.io/service-account-token 3 45m
node-controller-token-7nf8h kubernetes.io/service-account-token 3 45m
persistent-volume-binder-token-gjn6g kubernetes.io/service-account-token 3 45m
pod-garbage-collector-token-whp67 kubernetes.io/service-account-token 3 45m
replicaset-controller-token-b2tcl kubernetes.io/service-account-token 3 45m
replication-controller-token-7pl4w kubernetes.io/service-account-token 3 45m
resourcequota-controller-token-sqqg7 kubernetes.io/service-account-token 3 45m
route-controller-token-894rl kubernetes.io/service-account-token 3 45m
service-account-controller-token-5jhjb kubernetes.io/service-account-token 3 45m
service-controller-token-xgdwx kubernetes.io/service-account-token 3 45m
statefulset-controller-token-q47bt kubernetes.io/service-account-token 3 45m
ttl-controller-token-8rcs5 kubernetes.io/service-account-token 3 45m
举个例子,如果要使用deployment-controller权限登录,首先需要获取以下的令牌。
# 上のリストからdeployment-controller-xxxxxとなっているものを指定する
kubectl -n kube-system describe secret deployment-controller-token-76t44
Name: deployment-controller-token-76t44
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=deployment-controller
kubernetes.io/service-account.uid=bde9a663-3429-11e8-92ba-42010a92006a
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1115 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tNzZ0NDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYmRlOWE2NjMtMzQyOS0xMWU4LTkyYmEtNDIwMTBhOTIwMDZhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.C-V8qYwHJ1lnDTSjoRFyMSyFMKMTOcNNFFsujOjnQsts7ov54Mt4M8L9_QjyRXTvnI_jSSCjq5IFcXY2W_oLbqY8f5nCO2uwAcYDPF3YRSx0Qf5lk56FQ2kuIyMSmFutwKaHbgrEK0j3XyruCeGyy4Ych_MPmeJUKWvImrwubDsIFxYinvjdzEiWjc3CSByWYTqCyhdV1ovicWXJQIBsaU5PLxCpOi2uK4hSlcGT15OApy8pKVvx45E37qSbVSL5IgplkZ8DOZyOynxlLDFlANIAivs4MrnWMUI4xhUjRlqyWBNLwDchrkbyqjKFORmBjnsMxHL3FqXkXYDHwdqq0w
請輸入顯示的Token並選擇”登入”。
然后您就可以像以下这样登录了。
然而,在屏幕顶部显示着警告。
这里显示了deployment-controller权限无法查看的内容。
解除警告的方法
有两种方法。
https://github.com/kubernetes/dashboard/wiki/Access-control のAdmin privilegesの箇所に書いてある方法で、ログインをSKIPできるようにしてしまう方法(認証システムを無効化するのでセキュリティリスクあり)
管理者権限を作り、管理者権限のTokenを使ってログインする方法
在这里,我将解释后者的方法。
创建服务账户
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
准备上述文件,并使用以下命令进行部署。
$ kubectl apply -f service-account.yaml
这样的话,就会出现admin-user-token-xxxxx。
$ $ kubectl -n kube-system get secret
NAME TYPE DATA AGE
admin-user-token-h5t5t kubernetes.io/service-account-token 3 40m
attachdetach-controller-token-cdqt4 kubernetes.io/service-account-token 3 56m
certificate-controller-token-7qjc4 kubernetes.io/service-account-token 3 56m
cloud-provider-token-gn4gq kubernetes.io/service-account-token 3 56m
clusterrole-aggregation-controller-token-tl2wc kubernetes.io/service-account-token 3 56m
cronjob-controller-token-prhf8 kubernetes.io/service-account-token 3 56m
daemon-set-controller-token-rr99v kubernetes.io/service-account-token 3 56m
default-token-xbqb8 kubernetes.io/service-account-token 3 56m
deployment-controller-token-76t44 kubernetes.io/service-account-token 3 56m
disruption-controller-token-ttfnq kubernetes.io/service-account-token 3 56m
endpoint-controller-token-7q884 kubernetes.io/service-account-token 3 56m
event-exporter-sa-token-6n4c6 kubernetes.io/service-account-token 3 55m
fluentd-gcp-token-c77bf kubernetes.io/service-account-token 3 55m
generic-garbage-collector-token-pk9j7 kubernetes.io/service-account-token 3 56m
heapster-token-kgzhn kubernetes.io/service-account-token 3 56m
horizontal-pod-autoscaler-token-cfm5c kubernetes.io/service-account-token 3 56m
job-controller-token-tmdx5 kubernetes.io/service-account-token 3 56m
kube-dns-autoscaler-token-m59qq kubernetes.io/service-account-token 3 55m
kube-dns-token-g9bb9 kubernetes.io/service-account-token 3 55m
kubernetes-dashboard-certs Opaque 0 56m
kubernetes-dashboard-key-holder Opaque 2 56m
kubernetes-dashboard-token-kw59t kubernetes.io/service-account-token 3 55m
metadata-proxy-token-s8f5v kubernetes.io/service-account-token 3 55m
metrics-server-token-w9j4f kubernetes.io/service-account-token 3 55m
namespace-controller-token-9qddf kubernetes.io/service-account-token 3 56m
node-controller-token-7nf8h kubernetes.io/service-account-token 3 56m
persistent-volume-binder-token-gjn6g kubernetes.io/service-account-token 3 56m
pod-garbage-collector-token-whp67 kubernetes.io/service-account-token 3 56m
replicaset-controller-token-b2tcl kubernetes.io/service-account-token 3 56m
replication-controller-token-7pl4w kubernetes.io/service-account-token 3 56m
resourcequota-controller-token-sqqg7 kubernetes.io/service-account-token 3 56m
route-controller-token-894rl kubernetes.io/service-account-token 3 56m
service-account-controller-token-5jhjb kubernetes.io/service-account-token 3 56m
service-controller-token-xgdwx kubernetes.io/service-account-token 3 56m
statefulset-controller-token-q47bt kubernetes.io/service-account-token 3 56m
ttl-controller-token-8rcs5 kubernetes.io/service-account-token 3 56m
使用相同的方式在deployment-controller时获取令牌,并登录。
一切无事,警告已被解除。现在您可以浏览任何资源了。
辛苦了。
