Kubernetes

安装k8s dashboard

Posted by 胡伟煌 on 2022-10-23

1. 部署dashboard

1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

镜像: kubernetesui/dashboard:v2.5.0

默认端口:8443

登录页面需要填入token或kubeconfig

2. 登录dashboard

2.1. 创建超级管理员

参考:dashboard/creating-sample-user

创建dashboard-adminuser.yaml文件如下:

k8s 1.24+版本需要自行创建secret绑定serviceaccount

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-user-secret
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/service-account.name: "admin-user"   
type: kubernetes.io/service-account-token

创建serviceaccount和ClusterRoleBinding,绑定cluster-admin的超级管理员的权限。

1
kubectl apply -f dashboard-adminuser.yaml

创建用户token

1
kubectl -n kubernetes-dashboard create token admin-user --duration 8760h

或者通过secret查询token

1
kubectl get secret admin-user-secret -n kubernetes-dashboard -o jsonpath={".data.token"} | base64 -d

移除账号

1
2
kubectl -n kubernetes-dashboard delete serviceaccount admin-user
kubectl -n kubernetes-dashboard delete clusterrolebinding admin-user

2.2. 创建Namespace管理员

1、创建角色权限(role)

1
2
3
4
5
6
7
8
9
10
11
12
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: <namespace>
  name: <namespace>-admin-role
rules:
  - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - '*'

2、创建用户账号(ServiceAccount)

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
  name: <namespace>-admin-user
  namespace: <namespace>

创建secret 可自动生成token

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: ${SecretName}
  namespace: ${ServiceAccountNS}
  annotations:
    kubernetes.io/service-account.name: "${ServiceAccountName}"   
type: kubernetes.io/service-account-token

3、创建角色绑定关系

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <namespace>-admin-user
  namespace: <namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <namespace>-admin-role
subjects:
- kind: ServiceAccount
  name: <namespace>-admin-user
  namespace: <namespace>

4、生成token

1
kubectl -n <namespace> create token <ServiceAccount> --duration 8760h

或者通过上述secret中的token获得

1
kubectl get secret ${SecretName} -n ${ServiceAccountNS} -o jsonpath={".data.token"} | base64 -d

2.3. 创建只读账户

集群默认提供了几种命名空间级别的权限,分别设置ClusterRole: [admin, edit, view], 将授权设置为ClusterRoleview即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <namespace>-admin-user
  namespace: <namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: <namespace>-admin-user
  namespace: <namespace>

3. 集成SSO登录

社区提供了添加Authorization header的方式来集成自定义的SSO登录。即在HTTP请求中增加Header: Authorization: Bearer <token>。该操作可以通过apisix或Nginx等插件注入Header。

参考:


支付宝打赏 微信打赏

赞赏一下




FEATURED TAGS
Kubernetes
FRIENDS