Kubernetes之(十六)Dashboard认证访问

目录

  • Kubernetes之(十六)Dashboard认证访问

    • Dashboard部署
    • token认证
    • kube-config认证
    • 总结

Kubernetes之(十六)Dashboard认证访问

Dashboard:https://github.com/kubernetes/dashboard

Dashboard部署

下载yaml文件

[[email protected] manifests]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

查看yaml
deployment的image需要从k8s.gcr.io仓库下载,国内无法拉取成功。两种方法:

  1. 提前在node节点拉取镜像kubernetes-dashboard-amd64:v1.10.1, 然后docker tag修改标签。
  2. 直接把yaml文件内的image修改为可用的仓库,
[[email protected] manifests]# vim kubernetes-dashboard.yaml
......
        #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        image: xiaobai20201/kubernetes-dashboard-amd64:v1.10.1 # 我自己的dockerhub仓库
......

其中 yaml文件种的service配置没有指定type,此时我们需要指定为NodePort才能使用外部访问

......
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort
  ......

执行

[[email protected] manifests]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created

[[email protected] manifests]# kubectl get pods -n kube-system
NAME                                   READY   STATUS    RESTARTS   AGE
coredns-78d4cf999f-6cb69               1/1     Running   0          11d
coredns-78d4cf999f-tflpn               1/1     Running   0          11d
etcd-master                            1/1     Running   0          11d
kube-apiserver-master                  1/1     Running   0          11d
kube-controller-manager-master         1/1     Running   0          11d
kube-flannel-ds-amd64-gtv85            1/1     Running   0          11d
kube-flannel-ds-amd64-gwbql            1/1     Running   1          11d
kube-flannel-ds-amd64-ml7nf            1/1     Running   0          11d
kube-proxy-ch4vp                       1/1     Running   0          11d
kube-proxy-cz2rf                       1/1     Running   1          11d
kube-proxy-kdp7d                       1/1     Running   0          11d
kube-scheduler-master                  1/1     Running   0          11d
kubernetes-dashboard-6f9998798-klf4t   1/1     Running   0          2m46s

[[email protected] manifests]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   11d
kubernetes-dashboard   NodePort    10.104.230.45   <none>        443:30650/TCP   43s

浏览器访问 https://10.0.0.10:30650 ,注意这里的https证书是不安全的,谷歌浏览器会禁止访问,此时建议使用火狐,并且需要在高级选项中认证。

在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http):

token认证

  1. 创建dashboard专用证书
[[email protected] manifests]# cd /etc/kubernetes/pki/
[[email protected] pki]# (umask 077;openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................+++
.......+++
e is 65537 (0x10001)
  1. 证书签署请求
[[email protected] pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=white/CN=dasnboard" #如果以后需要域名访问 /CN需要和域名一致
  1. 签署证书
[[email protected] pki]# openssl x509 -req -in dashboard.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
Signature ok
subject=/O=white/CN=dasnboard
Getting CA Private Key
  1. 定义令牌方式仅能访问default名称空间
[[email protected] pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key
secret/dashboard-cert created

[[email protected] pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-cert                                   Opaque                                2      25s
kubernetes-dashboard-certs                       Opaque                                0      101m
kubernetes-dashboard-key-holder                  Opaque                                2      100m
kubernetes-dashboard-token-4pln6                 kubernetes.io/service-account-token   3      101m

#创建serviceaccount
[[email protected] pki]# kubectl create serviceaccount def-ns-admin -n default
serviceaccount/def-ns-admin created

 #service account账户绑定到集群角色admin
[[email protected] pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created

[[email protected] pki]# kubectl get secret
NAME                       TYPE                                  DATA   AGE
admin-token-sswgb          kubernetes.io/service-account-token   3      4d1h
def-ns-admin-token-p5nxf   kubernetes.io/service-account-token   3      74s
default-token-dqd2f        kubernetes.io/service-account-token   3      11d
mysql-root-password        Opaque                                1      5d
tomcat-ingress-secret      kubernetes.io/tls                     2      6d5h
[[email protected] pki]# kubectl describe secret def-ns-admin-token-p5nxf
Name:         def-ns-admin-token-p5nxf
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

将该token复制后,填入验证,要知道的是,该token认证仅可以查看default名称空间的内容,如下图:

kube-config认证

  1. 配置def-ns-admin的集群信息
[[email protected] pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.10:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.
  1. 使用token写入集群验证
[[email protected] pki]# kubectl config set-credentials -h   #认证的方式可以通过crt和key文件,也可以使用token进行配置,这里使用tonken

[[email protected] pki]#  kubectl describe secret def-ns-admin-token-p5nxf
Name:         def-ns-admin-token-p5nxf
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: 45e2e667-59d0-11e9-80a7-000c295ec349

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

#此处token是base64编码,此处需要进行解码操作
[[email protected] pki]# kubectl get secret def-ns-admin-token-p5nxf -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

#配置token信息
[[email protected] pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw  --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set.
  1. 配置上下文和当前上下文
[[email protected] ~]# kubectl config set-context [email protected] --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
Context "[email protected]" created.

[[email protected] ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://10.0.0.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: def-ns-admin
  name: [email protected]
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wNW54ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWUyZTY2Ny01OWQwLTExZTktODBhNy0wMDBjMjk1ZWMzNDkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.BhsCdi6yjO4-epmIUEXgSvO332FDvOM8_HdWGCEeES08aiLu4hPg3kGunSkkX5YUDyjU7A_wxzHSFvT4pqMQ-ufSDXmVfdNRe1ZTbgbncvJR2_OeclbKCjUqyYaXYs-UNk-qGPxLQT8Qq9fg73SSlqGF4jI8TzbblXZIGnhcTsdCfMwFoAd3i9u_pEFHgFzVV1XdAR9bV1EnGOpTP5J5RXsZnWyLkQu8LxVB3uHJt_HvsAop9OGLcOJIVEYnfMVl4DO_ieJrspFDqlfm4n_t9JFMpJ13cPTBPSGKeLmdt9xtK6WLKjzvxC59i_xaovC14VJz3vNEZ__wXnGUpyjyJw

将/root/def-ns-admin.conf文件发送到宿主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问,如图:

总结

  1. 部署dashboard的时候,官方的yaml文件内Deployment的image文件需要换成国内的源,(xiaobai20201 个人仓库)
  2. 官方的yaml文件内Service内spec.type要修改为NodePort。
  3. 认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
  • token:

    1. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
    2. 获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
    3. 复制token到认证页面即可登录。
  • kubeconfig:把ServiceAccount的token封装为kubeconfig文件
  1. 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
  2. kubectl get secret |awk ‘/^ServiceAccount/{print $1}‘ KUBE_TOKEN=$(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
  3. 生成kubeconfig文件
kubectl config set-cluster
kubectl config set-credentials NAME --token=$KUBE_TOKEN
kubectl config set-context
kubectl config use-context
参考资料

https://www.cnblogs.com/linuxk
马永亮. Kubernetes进阶实战 (云计算与虚拟化技术丛书)
Kubernetes-handbook-jimmysong-20181218

原文地址:https://www.cnblogs.com/wlbl/p/10694371.html

时间: 2024-09-30 09:27:11

Kubernetes之(十六)Dashboard认证访问的相关文章

ODAC(V9.5.15) 学习笔记(十六)直接访问模式

直接访问模式(Direct mode)是ODAC最大的特色之一,即不需要安装Oracle客户端,ODAC越过了OCI(Oracle Call Interface ),使用TCP/IP协议就可以直接与Oracle服务器通信,使得ODAC程序的部署非常方便,性能也非常高. 要设置直接访问模式,只需要将连接组件的选择项Direct设为True Session.Options.Direct := True; 其他的参数设置同正常模式.使用直接访问模式的优势是不需要安装Oracle客户端,部署更方便,资源

kubernetes实战(十六):k8s高可用集群平滑升级 v1.11.x 到v1.12.x

1.基本概念 升级之后所有的containers会重启,因为hash值会变. 不可跨版本升级. 2.升级Master节点 当前版本 [[email protected] ~]# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac

“全栈2019”Java第七十六章:静态、非静态内部类访问权限

难度 初级 学习时间 10分钟 适合人群 零基础 开发语言 Java 开发环境 JDK v11 IntelliJ IDEA v2018.3 文章原文链接 "全栈2019"Java第七十六章:静态.非静态内部类访问权限 下一章 "全栈2019"Java第七十七章:抽象内部类与抽象静态内部类详解 学习小组 加入同步学习小组,共同交流与进步. 方式一:关注头条号Gorhaf,私信"Java学习小组". 方式二:关注公众号Gorhaf,回复"J

【.NET Core项目实战-统一认证平台】第十六章 网关篇-Ocelot集成RPC服务

原文:[.NET Core项目实战-统一认证平台]第十六章 网关篇-Ocelot集成RPC服务 [.NET Core项目实战-统一认证平台]开篇及目录索引 一.什么是RPC RPC是"远程调用(Remote Procedure Call)"的一个名称的缩写,并不是任何规范化的协议,也不是大众都认知的协议标准,我们更多时候使用时都是创建的自定义化(例如Socket,Netty)的消息方式进行调用,相比http协议,我们省掉了不少http中无用的消息内容.因此很多系统内部调用仍然采用自定义

Kubernetes 1.5 配置dashboard

配置kubernetes的dashboard相对简单.同样的,只需要从源码中获取到dashboard-controller.yaml及dashboard-service.yaml文件,稍加修改即可: wget https://rawgit.com/kubernetes/kubernetes/master/cluster/addons/dashboard/dashboard-controller.yamlwget https://rawgit.com/kubernetes/kubernetes/m

2018-08-24 第三十六课

第三十六课 非关系统型数据库-mangodb 目录 二十四 mongodb介绍 二十五 mongodb安装 二十六 连接mongodb 二十七 mongodb用户管理 二十八 mongodb创建集合.数据管理 二十九 php的mongodb扩展 三十 php的mongo扩展 三十一 mongodb副本集介绍 三十二 mongodb副本集搭建 三十三 mongodb副本集测试 三十四 mongodb分片介绍 三十五 mongodb分片搭建 三十六 mongodb分片测试 三十七 mongodb备份

第十六课----Rsync数据同步工具

1.1.1 什么是Rsync?Rsync是一款开源的,快速的,多功能的,可实现全量及增量的本地或远程数据同步备份的优秀工具.Rsync软件适用于unix/linux/windows等多种操作系统平台.1.1.2 Rsync简介? Rsync英文全称Remote synchronization,从软件的名称就可以看出来,Rsync具有可使本地和远程两台主机之间的数据快速复制同步镜像,远程备份的功能,这个功能类似ssh带的scp命令,但又优于scp命令的功能,scp每次都是全量拷贝,而rsync可以

Spring Boot(十六):使用Jenkins部署Spring Boot

Spring Boot(十六):使用Jenkins部署Spring Boot jenkins是devops神器,介绍如何安装和使用jenkins部署Spring Boot项目 jenkins搭建 部署分为四个步骤: 第一步,jenkins安装 第二步,插件安装和配置 第三步,Push SSH 第四步,部署项目 第一步 ,jenkins安装 1,准备环境 JDK:1.8Jenkins:2.83 Centos:7.3maven 3.5 注意;jdk 默认已经安装完成 2,配置 maven 版本要求m

Flask 教程 第十六章:全文搜索

本文翻译自The Flask Mega-Tutorial Part XVI: Full-Text Search 这是Flask Mega-Tutorial系列的第十六部分,我将在其中为Microblog添加全文搜索功能. 本章的目标是为Microblog实现搜索功能,以便用户可以使用自然语言查找有趣的用户动态内容.许多不同类型的网站,都可以使用Google,Bing等搜索引擎来索引所有内容,并通过其搜索API提供搜索结果. 这这方法适用于静态页面较多的的大部分网站,比如论坛. 但在我的应用中,基