k8s认证授权和dashboard部署

资源说明

kubectl本身带有认证信息 认证信息文件存放在用户家目录下的/root/.kube/config

kubectl 可以远程访问 只需要把配置文件拷贝过去    k8s的输入输出都是以json格式来传递的

[[email protected] ~]# kubectl proxy --port=8080
     Starting to serve on 127.0.0.1:8080

[[email protected] .kube]# curl http://localhost:8080/api/v1/namespaces

k8s中每个资源都有一个唯一对应的资源路径url 可以通过此url对资源进行操作
   创建资源的时候需要填充一个body参数 其它操作直接调用url指定action即可

快速生成资源清单文件模板
     1.只要支持create命令的资源都可以使用此方式
        kubectl create serviceaccount mysa -o yaml --dry-run > s.yaml

用户管理

 1.创建私钥
[pki]# (umask 077; openssl genrsa -out yxh.key 2048)
[pki]# ls
apiserver.key                 front-proxy-ca.crt      yxh.key
2.生成证书签署请求  CN就是用户账号名称
[pki]# openssl req -new -key yxh.key -out yxh.csr -subj "/CN=yxh"

3.签署证书
  [[email protected]-master pki]# openssl x509 -req -in yxh.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yxh.crt -days 365
Signature ok
subject=/CN=yxh
Getting CA Private Key

4.查看证书信息
[[email protected]-master pki]# openssl x509 -in yxh.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            8a:59:4a:8d:64:e9:3b:1c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Jun 22 10:30:26 2019 GMT
            Not After : Jun 21 10:30:26 2020 GMT
        Subject: CN=yxh

5.添加用户到k8s集群
[[email protected]-master pki]# kubectl config set-credentials yxh --client-certificate=./yxh.crt --client-key=./yxh.key --embed-certs=true
User "yxh" set.

[[email protected]-master pki]# kubectl config set-context [email protected] --cluster=kubernetes --user=yxh
Context "[email protected]" created.
[[email protected]-master pki]# kubectl config use-context [email protected]
Switched to context "[email protected]".
[[email protected]-master pki]# kubectl get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "yxh" cannot list pods in the namespace "default"

用户管理

角色管理

定义角色Role和clusterRole
     1.operations 操作
     2.objects 资源

两种用户类型
    User    Account
    Service Account   用户充当客户端的pod 比如运行dashboard的pod

角色绑定 RoleBinding
 集群角色绑定 ClusterRoleBinding

Role和RoleBinding 主要针对RoleBinding所属名称空间下进行授权
  ClusterRole和ClusterRoleBinding 针对集群级别授权
  ClusterRole和RoleBinding 针对所属名称空间授权
       解决多个名称空间中角色名和权限完全相同的情况
  Role和ClusterRoleBinding不能相互绑定

不管是Role还是ClusterRole
  只要是和RoleBinding 那么权限就只限定在RoleBinding所属的名称空间中
  只要是和ClusterRoleBinding 那么就是针对整个集群来授权

  # kubectl config use-context kubernetes-[email protected]
  # kubectl apply -f role_demo.yaml
    role.rbac.authorization.k8s.io/pods-reader created

[[email protected]-master role]# kubectl create rolebinding yxh-read-pods --role=pods-reader --user=yxh
rolebinding.rbac.authorization.k8s.io/yxh-read-pods created
[[email protected]-master role]# kubectl describe rolebinding yxh-read-pods
Name:         yxh-read-pods
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pods-reader
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  yxh
[[email protected]-master role]# kubectl config use-context [email protected]
Switched to context "[email protected]".
[[email protected]-master role]# kubectl get svc
No resources found.
Error from server (Forbidden): services is forbidden: User "yxh" cannot list services in the namespace "default"
[[email protected]-master role]# kubectl get pods
NAME                             READY     STATUS              RESTARTS   AGE
myapp-deploy-67f6f6b4dc-2986w    1/1       Running             0          6d
myapp-deploy-67f6f6b4dc-czvq4    1/1       Running
[[email protected]-master role]# kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "yxh" cannot list pods in the namespace "kube-system"

角色管理

dashboard部署

 1.上传镜像 默认访问谷歌仓库 无法访问 每个节点都需要传递
    docker load < kubernetes-dashboard-amd64.tar
 2.修改image的版本
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
 3.查看dashboard的pod运行状态
 # kubectl get pods -n kube-system
  NAME                                   READY     STATUS    RESTARTS   AGE
  kubernetes-dashboard-6948bdb78-h6z25   1/1       Running   0          37s
 4.# kubectl get svc -n kube-system
   NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
  kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   260d
  kubernetes-dashboard   ClusterIP   10.109.157.47   <none>        443/TCP         1m
5.# kubectl patch svc kubernetes-dashboard -p ‘{"spec":{"type":"NodePort"}}‘ -n kube-system
 service/kubernetes-dashboard patched

部署dashboard

说明: 因为是自签名证书,很多浏览器不让访问,可以使用FireFox,选择添加安全例外(Exceptions)即可.

dashboard登录认证配置

token认证

[email protected] ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[[email protected]-master ~]# kubectl get sa -n kube-system
NAME                                 SECRETS   AGE
attachdetach-controller              1         261d
bootstrap-signer                     1         261d
certificate-controller               1         261d
clusterrole-aggregation-controller   1         261d
coredns                              1         261d
cronjob-controller                   1         261d
daemon-set-controller                1         261d
dashboard-admin                      1         9s
default                              1         261d
deployment-controller                1         261d
disruption-controller                1         261d
endpoint-controller                  1         261d
expand-controller                    1         261d
flannel                              1         261d
generic-garbage-collector            1         261d
horizontal-pod-autoscaler            1         261d
job-controller                       1         261d
kube-proxy                           1         261d
kubernetes-dashboard                 1         20h
namespace-controller                 1         261d
node-controller                      1         261d
persistent-volume-binder             1         261d
pod-garbage-collector                1         261d
pv-protection-controller             1         261d
pvc-protection-controller            1         261d
replicaset-controller                1         261d
replication-controller               1         261d
resourcequota-controller             1         261d
service-account-controller           1         261d
service-controller                   1         261d
statefulset-controller               1         261d
token-cleaner                        1         261d
ttl-controller                       1         261d
[[email protected]-master ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
[[email protected]-master ~]# kubectl get secret -n kube-system
NAME                                             TYPE                                  DATA      AGE
attachdetach-controller-token-59k84              kubernetes.io/service-account-token   3         261d
clusterrole-aggregation-controller-token-tnqvr   kubernetes.io/service-account-token   3         261d
coredns-token-nstwr                              kubernetes.io/service-account-token   3         261d
cronjob-controller-token-cqmsp                   kubernetes.io/service-account-token   3         261d
daemon-set-controller-token-mlp6k                kubernetes.io/service-account-token   3         261d
dashboard-admin-token-lr9j6                      kubernetes.io/service-account-token   3         4m
default-token-czx5p                              kubernetes.io/service-account-token   3         261d
deployment-controller-token-nr9lf                kubernetes.io/service-account-token   3         261d
job-controller-token-s9j82                       kubernetes.io/service-account-token   3         261d
kube-proxy-token-d58zg                           kubernetes.io/service-account-token   3         261d
kubernetes-dashboard-certs                       Opaque                                0         20h
kubernetes-dashboard-key-holder                  Opaque                                2         20h
kubernetes-dashboard-token-zfb6z                 kubernetes.io/service-account-token   3         20h
namespace-controller-token-fwkbc                 kubernetes.io/service-account-token   3         261d
node-controller-token-nf2tk                      kubernetes.io/service-account-token   3         261d
persistent-volume-binder-token-5xs9v
token-cleaner-token-5xsxp                        kubernetes.io/service-account-token   3         261d
ttl-controller-token-wv2gh                       kubernetes.io/service-account-token   3         261d
[[email protected]-master ~]# kubectl describe secret dashboard-admin-token-lr9j6
Error from server (NotFound): secrets "dashboard-admin-token-lr9j6" not found
[[email protected]-master ~]# kubectl describe secret dashboard-admin-token-lr9j6  -n kube-system
Name:         dashboard-admin-token-lr9j6
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=dashboard-admin
              kubernetes.io/service-account.uid=da8cef11-95ab-11e9-9e10-000c2927f194

Type:  kubernetes.io/service-account-token

Data
====
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbHI5ajYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGE4Y2VmMTEtOTVhYi0xMWU5LTllMTAtMDAwYzI5MjdmMTk0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.DRxgWYbKCHRbRnQ8ZmNMkFaE6gWaedmOtz9GQg_E0RSKPa2xaauMhtgZxr_Fv2dyWmMWo1a0-1rHn2eVkU8n0JgtwGB-ttqmZPMa-WFBgsaUihzltSCU3ghmJogg6yz5Tav2Els4HOlVL2c_q0K3WCrOFefl_M-to9n4dd61444es2nY7pWC8b1X6udFASTtYNBqGwVbc6MgctN4iwamtzRe0j-qhtoj4wEFU6SnLNH4Po7XMz_U7TgcBM_3VunJx6ZbE9nRTbL-VEijlN5Si-Qwx0f3G2YUxPE2HP_0ZVp7n8E5nQnePn3sUTJRm3DHTz4AxWuSOw2CV7lFiBjDbQ
ca.crt:     1025 bytes

#操作步骤说明
 1.创建serviceaccount
  [[email protected]-master ~]# kubectl create serviceaccount   dashboard-admin -n kube-system
  serviceaccount/dashboard-admin created
  [[email protected]-master ~]# kubectl get sa -n kube-system

 2.把sa绑定到clusterRoleBinding
   [[email protected]-master ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created

3.查看sa的token信息
  [[email protected]-master ~]# kubectl get secret -n kube-system
  [[email protected]-master ~]# kubectl describe secret dashboard-admin-token-lr9j6  -n kube-system

token认证

原文地址:https://www.cnblogs.com/yxh168/p/11072125.html

时间: 2024-11-06 21:50:41

k8s认证授权和dashboard部署的相关文章

k8s之Dashboard部署及使用

前面章节 Kubernetes 所有的操作我们都是通过命令行工具 kubectl 完成的.为了提供更丰富的用户体验,Kubernetes 还开发了一个基于 Web 的 Dashboard,用户可以用 Kubernetes Dashboard 部署容器化的应用.监控应用的状态.执行故障排查任务以及管理 Kubernetes 各种资源. 在 Kubernetes Dashboard 中可以查看集群中应用的运行状态,也能够创建和修改各种 Kubernetes 资源,比如 Deployment.Job.

k8s监控组件heapster安装部署

k8s监控组件heapster安装部署 参考文档 https://github.com/kubernetes/heapster/tree/master/deploy k8s集群安装部署 http://jerrymin.blog.51cto.com/3002256/1898243  k8s集群RC.SVC.POD部署 http://jerrymin.blog.51cto.com/3002256/1900260     k8s集群组件kubernetes-dashboard和kube-dns部署 h

8.k8s.认证与访问控制

#K8S认证与访问控制(RBAC) 用户证书创建 #k8s认证 #主要认证 方式 http token.https证书 k8s不提供用户管理,API Server把客户端证书的CN字段作为User,把names.O字段作为Group Pod认证 ->ServiceAccount ->service-account-toen->API Server k8s组件认证 -> 证书 -> kubeconfig -> API Server Pod容器的访问:Pod(dashbor

DNS子域授权和DNS分离解析

实验环境: -------RHEL5.10(vmnet1)----------REL5.10(vmnet1) (192.168.100.10主域)       (192.168.100.20子域) [DNS子域授权配置] kvm_node2(子域)上面操作: [[email protected] ~]# yum  -y install bind   bind-chroot   caching-nameserver [[email protected] ~]# cd /var/named/chro

OAuth2.0授权和SSO授权

一. OAuth2.0授权和SSO授 1. OAuth2.0 --> 网页 --> 当前程序内授权 --> 输入账号密码 --> (自己需要获取到令牌, 自己处理逻辑) 授权成功 2. SSO授权 --> 对应的第三方App内授权 --> 一键登录 二. SSO授权的优势 1. 不用输入账号密码 --> 快速登录 (账号密码太长, 密码不记得, 密码输入错误) ,节省时间 2. 安全 --> 防止你的账号和密码信息过多的暴露给其他的App 3. 防止任一环节

ARM架构授权和IP核授权有什么不一样啊?

比如,华为分别拿到这2个授权,能做的有什么区别啊? 匿名 | 浏览 2976 次 推荐于2016-06-09 02:43:35 最佳答案 一个公司若想使用ARM的内核来做自己的处理器,比如苹果三星TI等等,必须向ARM公司购买其架构下的不同层级授权,根据使用需要购买相应的层级授权.架构的授权方式有三种:架构层级授权.内核层级授权(也就是你所说的ip核授权).使用层级授权.使用层级授权,要想使用一款处理器,得到使用层级的授权是最基本的,这就意味着你只能拿别人提供的定义好的ip来嵌入在你的设计中,不

K8S 1.13.4安装部署

kubeadm是K8S官方提供的集群部署工具.kubeadm将master节点上的apiserver.scheduler.controller-manager.etcd和node节点上的kube-proxy都部署为Pod运行,所以master和node都需要安装kubelet和docker. 1.前期准备主机准备:k8s1 master 192.168.4.35 CentOS7.6 4C8Gk8s2 node1 192.168.4.36 CentOS7.6 4C8Gk8s3 node2 192.

使用Kubeadm创建k8s集群之节点部署(三十一)

前言 本篇部署教程将讲述k8s集群的节点(master和工作节点)部署,请先按照上一篇教程完成节点的准备.本篇教程中的操作全部使用脚本完成,并且对于某些情况(比如镜像拉取问题)还提供了多种解决方案.不过基于部署环境和k8s的复杂性,我们需要对k8s集群部署过程中的一些步骤都有所了解,尤其是“kubeadm init”命令. 目录 主节点部署  Kubeadm以及相关工具包的安装 批量拉取k8s相关镜像 使用“kubeadm init”启动k8s主节点 启动k8s主节点 kubectl认证 安装f

CNCF启动K8s软件一致性项目,Rancher入选全球首批K8s认证平台

CNCF于美国旧金山当地时间2017年11月13日宣布推出Certified Kubernetes Conformance Program,并公布了首批通过认证的32个Kubernetes平台的名单. 此次认证项目中得到认证的Kubernetes产品与平台确保具有一致性及可移植性,可确保完整的Kubernetes API按照规定运行,因此用户可以获得无缝且稳定的体验.同时,得到认证的产品或平台可以使用新的Kubernetes认证标志,并可以将Kubernetes标志与其产品名称(例如XYZ Ku