kubernetes dashboard 认证及分级授权

Posted crazymagic

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了kubernetes dashboard 认证及分级授权相关的知识,希望对你有一定的参考价值。

概述

前面介绍了kubernetes的两个东西,认证和授权

在kubernetes中我们对API server的一次访问大概会包含哪些信息?简单来讲它是restfule风格接口,也就是某个用户对某个操作执行了某个操作。 subject --> action --> object

  • 因此我们授权定义也是围绕这种方式展开的,同时我们也不能允许所有用户随意就能够访问我们k8s
  • 所以我们讲到了认证,讲到了它的两种认证方式,第一种叫token,一种叫证书认证,即tls,当然还有第三种方式认证,账号和密码(user/passwd),这种方式很少用。重点介绍了tls认证,并且我们还自己建了证书而且构建了一个所谓的基于kubectl 访问的内部账号,但是在此我们需要交代的是我们用户账号有两类,第一类叫UserAccount(虽然存在于k8s之上但是我们不需要单独去创建它,它只是一个对应的用户身份标识,无论通过token还是tls认证完以后用户宣称自己是什么用户他就是什么用户),第二类称为ServiceAccount,也叫sa

授权的方式RBAC

  • 其有四个标准的资源:role,rolebinding,clusterrole,clusterrolebinding
  • 能够作为授权中的subject使用的大概有三类主体,第一类称为用户(user),第二类称为组(group),第三类称为serviceaccount
  • 还有我们k8s上的三种资源object: resouce_group   resource  non-resource url
  • 在role或者clusterrole之上我们定义的是能够对哪些对象执行哪些操作,所以接下来就是action:有get,list,watch,path,delete,deletecollection等
  • rolebinding或者clusterrolebinding就是为了指明subject,指明role或者clusterrole以及怎么绑

Dashboard

  到目前为止我们一直都是用kubernetes的kubectl或者使用kube proxy或者使用curl命令在命令行中去请求k8s的api,我们dashboard是作为我们kubernetes的核心附件(addons)存在的,我们系统安装时就默认就自动安装了一个附件叫做coredns,coredns是作为名称解析和服务发现的一个非常重要的凭据。在1.10及以前的版本中它用的是kube-dns,在1.8之后我们去部署kube-dashboard时它有个更复杂的权限检查了,传统的我们在互联网上看到的开放访问的方式大都不一定支持了,所以我们把它放到最后来讲因为kubeadm部署安装的k8s集群默认是强制启用的RBAC的,而dashbord它的接口是管理整个k8s集群的接口,所以他在实现认证和管理时不是自我认证的,可以认为它只是一个k8s集群的前端,也就是说你登陆dashbord时输入的账号和密码一定是k8s之上的账号和密码,和k8s的dashboard自身没有任何关系,它自己不做认证,它是一个认证代理,所有的账号都应该是k8s之上的账号,所有的授权应该也都是k8s之上的授权

部署一个dashboard,首先我们使用一个在线的配置清单,它会根据定义去下载镜像

拉取镜像

docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

 

重新打标签

tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

 

删除无用镜像

docker rmi mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

  

部署 dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

  

看dashboard的POD是否正常启动,如果正常说明安装成功  

kubectl get pods --namespace=kube-system 

技术图片

 

部署脚本

技术图片
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create kubernetes-dashboard-key-holder secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create kubernetes-dashboard-settings config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update kubernetes-dashboard-settings config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: 
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
kubernetes-dashboard.yml

 

 使用补丁的方式将 service类型为clusterIP类型,我们需要将其改为nodeport类型

kubectl patch svc kubernetes-dashboard -p ‘"spec":"type":"NodePort"‘ -n kube-system
service/kubernetes-dashboard not patched

 

查看暴露的服务

kubectl get svc -n svc --all-namespaces

技术图片

访问

https://192.168.228.138:32602

 

技术图片

 

token认证

 创建一个serviceaccount

kubectl create serviceaccount dashboard-admin -n kube-system

接下来我们需要通过所谓的rolebinding把这个dashboard-admin和我们的集群管理员建立起绑定关系来,不然它无法透过我们的rbac的权限检查。什么意思呢?dashboard接下来部署完以后登录进来后期望dashboard做什么事?假如我要做整个集群的管理,做整个集群的管理也就意味着运行此pod的serviceaccount应该具有整个集群的访问权限,所以我们就需要把这个dashboard-admin使用clusterrolebinding绑定在cluster-admin这个角色上,因此我们接下来做第二步,把我们serviceaccount绑定在cluster-admin这个集群角色上  

kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

 

查看 dashboard secret

kubectl get  secret  -n kube-system

 技术图片

定完过后我们接下来就可以获取对应的serviceaccount的secret的信息并且我们通过这个secret就可以访问集群了

kubectl describe secret dashboard-admin-token-vqqxh -n kube-system

技术图片

我们可以看到这个token令牌,将这个令牌复制出来就可以登录了

技术图片

 

  

 

以上是关于kubernetes dashboard 认证及分级授权的主要内容,如果未能解决你的问题,请参考以下文章

kuberneters dashboard认证及分级授权

kubernetes dashboard 认证及分级授权

kubernetes搭建dashboard

k8s之dashboard认证资源需求资源限制及HeapSter

k8s在dashboard实现静态文件认证

每天5分钟玩转Kubernetes | Dashboard配置登录权限