Kubernetes Dashboard 设置用户密码登陆

摘要

k8s默认dashboard使用的是token认证,比较麻烦不方便记忆。我们可以配置一个用户密码用于登陆k8s dashboard界面

Kubernetes Dashboard 设置用户密码登陆

Kubernetes
2019年05月20日

K8s 文档
K8s 1.13源码安装
k8s dashboard token访问


仪表板是基于Web的Kubernetes用户界面。您可以使用仪表板将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障排除,并管理集群本身及其伴随资源。您可以使用仪表板来概述群集上运行的应用程序,以及创建或修改单个Kubernetes资源(例如部署,作业,守护进程等)。例如,您可以使用部署向导扩展部署,启动滚动更新,重新启动Pod或部署新应用程序。

image_1dba6f63e1u87mic7sp10kma953n.png-47.8kB

默认Kubernetes UI界面是使用token登陆,但是由于token相比较麻烦。我们这里使用密码登陆

1.首先确保K8S集群内部一切正常

  1. [root@i4t ~]# kubectl get node
  2. NAME STATUS ROLES AGE VERSION
  3. yzsjhl82-138.opi.com Ready <none> 22h v1.13.5
  4. yzsjhl82-139.opi.com Ready <none> 22h v1.13.5
  5. yzsjhl82-140.opi.com Ready <none> 22h v1.13.5
  6. yzsjhl82-142.opi.com Ready <none> 22h v1.13.5
  7. [root@i4t ~]# kubectl get pod --all-namespaces
  8. NAMESPACE NAME READY STATUS RESTARTS AGE
  9. default busybox 1/1 Running 23 22h
  10. kube-system coredns-d7964c8db-2t8wl 1/1 Running 1 22h
  11. kube-system coredns-d7964c8db-sbztp 1/1 Running 1 22h
  12. kube-system kube-flannel-ds-amd64-cv5hx 1/1 Running 2 22h
  13. kube-system kube-flannel-ds-amd64-f2f7x 1/1 Running 2 22h
  14. kube-system kube-flannel-ds-amd64-vmm74 1/1 Running 2 22h
  15. kube-system kube-flannel-ds-amd64-zgfmq 1/1 Running 1 22h

2.配置
首先需要说明一点,默认kubernetes Dashboard是需要token登陆。不方便登记,我们可以让dashboard使用用户密码验证登陆

k8s dashboard 搭建

image_1dba4dg9m19p8bed1qgi1km28hf9.png-69.3kB

需要注意几点

  • 修改apiserver
  • 创建用户密码文件
  • 创建yaml文件

[一] 在master上节点上创建文件(用户密码文件)

  1. cat /etc/kubernetes/basic_auth_file
  2. admin,admin,1
  3. cyh,cyh,2
  4. #前面为用户,后面为密码,数字为用户ID不可重复

[二] 在所有master的apiserver启动文件添加一行配置

  1. vim /usr/lib/systemd/system/kube-apiserver.service
  2. --basic-auth-file=/etc/kubernetes/basic_auth_file \
  3. #添加完毕后重启api-server

这里需要说明,以上操作在所有master上执行,在所有节点操作是为了防止有pod飘到非master节点,当然也可以做pod亲和力

[三]创建yaml文件

  1. wget http://down.old.i4t.com/k8s-passwd-dashboard.yaml| kubectl apply -f k8s-passwd-dashboard.yaml

为了防止地址失效,我这里在手动cp一份

  1. # ------------------- Dashboard Secret ------------------- #
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5. labels:
  6. k8s-app: kubernetes-dashboard
  7. name: kubernetes-dashboard-certs
  8. namespace: kube-system
  9. type: Opaque
  10. ---
  11. # ------------------- Dashboard Service Account ------------------- #
  12. apiVersion: v1
  13. kind: ServiceAccount
  14. metadata:
  15. labels:
  16. k8s-app: kubernetes-dashboard
  17. name: kubernetes-dashboard
  18. namespace: kube-system
  19. ---
  20. # ------------------- Dashboard Role & Role Binding ------------------- #
  21. kind: Role
  22. apiVersion: rbac.authorization.k8s.io/v1
  23. metadata:
  24. name: kubernetes-dashboard-minimal
  25. namespace: kube-system
  26. rules:
  27. # Allow Dashboard to create 'kubernetes-dashboard2-key-holder' secret.
  28. - apiGroups: [""]
  29. resources: ["secrets"]
  30. verbs: ["create"]
  31. # Allow Dashboard to create 'kubernetes-dashboard2-settings' config map.
  32. - apiGroups: [""]
  33. resources: ["configmaps"]
  34. verbs: ["create"]
  35. # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  36. - apiGroups: [""]
  37. resources: ["secrets"]
  38. resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  39. verbs: ["get", "update", "delete"]
  40. # Allow Dashboard to get and update 'kubernetes-dashboard2-settings' config map.
  41. - apiGroups: [""]
  42. resources: ["configmaps"]
  43. resourceNames: ["kubernetes-dashboard-settings"]
  44. verbs: ["get", "update"]
  45. # Allow Dashboard to get metrics from heapster.
  46. - apiGroups: [""]
  47. resources: ["services"]
  48. resourceNames: ["heapster"]
  49. verbs: ["proxy"]
  50. - apiGroups: [""]
  51. resources: ["services/proxy"]
  52. resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  53. verbs: ["get"]
  54. ---
  55. apiVersion: rbac.authorization.k8s.io/v1
  56. kind: RoleBinding
  57. metadata:
  58. name: kubernetes-dashboard-minimal
  59. namespace: kube-system
  60. roleRef:
  61. apiGroup: rbac.authorization.k8s.io
  62. kind: Role
  63. name: kubernetes-dashboard-minimal
  64. subjects:
  65. - kind: ServiceAccount
  66. name: kubernetes-dashboard
  67. namespace: kube-system
  68. ---
  69. # ------------------- Dashboard Deployment ------------------- #
  70. kind: Deployment
  71. apiVersion: apps/v1beta2
  72. metadata:
  73. labels:
  74. k8s-app: kubernetes-dashboard
  75. name: kubernetes-dashboard
  76. namespace: kube-system
  77. spec:
  78. replicas: 1
  79. revisionHistoryLimit: 10
  80. selector:
  81. matchLabels:
  82. k8s-app: kubernetes-dashboard
  83. template:
  84. metadata:
  85. labels:
  86. k8s-app: kubernetes-dashboard
  87. spec:
  88. containers:
  89. - name: kubernetes-dashboard
  90. image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.8.3
  91. ports:
  92. - containerPort: 8443
  93. protocol: TCP
  94. args:
  95. - --auto-generate-certificates
  96. - --authentication-mode=basic
  97. # Uncomment the following line to manually specify Kubernetes API server Host
  98. # If not specified, Dashboard will attempt to auto discover the API server and connect
  99. # to it. Uncomment only if the default does not work.
  100. # - --apiserver-host=http://my-address:port
  101. volumeMounts:
  102. - name: kubernetes-dashboard-certs
  103. mountPath: /certs
  104. # Create on-disk volume to store exec logs
  105. - mountPath: /tmp
  106. name: tmp-volume
  107. livenessProbe:
  108. httpGet:
  109. scheme: HTTPS
  110. path: /
  111. port: 8443
  112. initialDelaySeconds: 30
  113. timeoutSeconds: 30
  114. volumes:
  115. - name: kubernetes-dashboard-certs
  116. secret:
  117. secretName: kubernetes-dashboard-certs
  118. - name: tmp-volume
  119. emptyDir: {}
  120. serviceAccountName: kubernetes-dashboard
  121. # Comment the following tolerations if Dashboard must not be deployed on master
  122. tolerations:
  123. - key: node-role.kubernetes.io/master
  124. effect: NoSchedule
  125. ---
  126. # ------------------- Dashboard Service ------------------- #
  127. kind: Service
  128. apiVersion: v1
  129. metadata:
  130. labels:
  131. k8s-app: kubernetes-dashboard
  132. name: kubernetes-dashboard
  133. namespace: kube-system
  134. spec:
  135. type: NodePort
  136. ports:
  137. - port: 80
  138. targetPort: 8443
  139. nodePort: 30000
  140. selector:
  141. k8s-app: kubernetes-dashboard

我们可以用过下面命令进行检查
kubectl get pod,svc -n kube-system
ui.png-296.6kB

这里要说一点,我这里的镜像使用的是v1.8.3如果觉得版本低可以更高版本的。
1

访问dashboard界面

由于没有ingress,使用的是IP访问。所以会提示我们证书不安全,我们这里点击忽略直接访问。个别浏览器会造成打不开的,建议使用谷歌或火狐

访问地址:https://master-IP:30000

在任意一台master上访问即可

3.png-223.7kB

这里需要我们输入api-server指定的文件里面的账号密码

跳过是没有权限查看k8s里面所有的信息

image_1dba6516pomk191eenjeg31js22l.png-85.2kB

4.png-450.2kB


新闻联播老司机