@(kubernetes)[dashboard]
Kubernetes可视WEBUI Dashboard搭建过程与认证原理
1、部署dashboard
dashboard作为官方的开源项目之一,托管在github上,网址:https://github.com/kubernetes/dashboard,作为云原生应用,直接使用kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml一键部署即可食用。
yaml文件内容:
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
1.1安装和开放dashboard的https访问
如果需要对yaml文件添加点自定义的配置上去,可以把yaml文件下载下来,然后修改食用,这里我选择直接apply官方提供的yaml文件。
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
安装完成后,需要把dashboard的service类型修改为NodePort,以便访问
查看service
~ ]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21d
kubernetes-dashboard ClusterIP 10.109.210.10 <none> 443/TCP 7m48s #需要修改这条资源的type为NodePort
修改service
~]# kubectl patch service -n kube-system kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
service/kubernetes-dashboard patched
//再次查看service
~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21d
kubernetes-dashboard NodePort 10.109.210.10 <none> 443:32362/TCP 11m //使用32362端口访问
修改完后,此时应该可以使用浏览器用https访问了。
访问网址就是https://nodeIP+port 注意,一般情况下不能使用masterIP访问,除非你把master也配置成为节点了。
2、授权dashboard权限
安装完成后,dashboard会自动创建一个serviceaccount,并用此serviceaccount与api-server交互,完成工作,而它默认创建的role权限有限制。so,我们需要保证该账户是有权限去管理特点资源,在此文中,我将会授权给dashboard的serviceaccount账户最高权限,能管理整个k8s集群所有资源。
2.1、dashboard创建的serviceaccount账户是什么?
在安装时候的yaml文件中,里面有定义serviceaccount和role/rolebinding的资源清单,如下:
#--------创建serviceaccount账户--------------
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
#-------创建Role---------赋予权限
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
#---------Rolebingding-------
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
Dashboard创建的serviceaccount名字是:kubernetes-dashboard,而它默认所创建的Role权限很少,并且是工作在kube-system这个名称空间中。
2.2授权给serviceaccount权限
serviceaccount默认的权限很低,并不能很好的去管理集群,接下来,授权最高权限给这个账户。
k8s集群上,默认有个ClusterRole,叫:cluster-admin,它是集群的管理员,拥有集群的最高权限,如果让serviceaccount去扮演此role,也即代表 serviceaccount能管理k8s上所有资源。
~]# kubectl get clusterrole
NAME AGE
admin 21d
cluster-admin #这个
...
使用命令,生成配置清单,然后保存为yaml文件
这个方法的好处能把配置清单生成为yaml文件,将来能复用,使用--dry-run选项,能保证命令仅仅是干跑一遍而不是真正执行。
]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard --dry-run -o yaml > dashboard-admin.yaml
应用yaml文件,创建clusterrolebingding。
]# kubectl apply -f dashboard-admin.yaml
登陆
正确授权后,接下来就是解决登陆问题,Dashboard有2种登陆方法,一是使用配置文件,二是直接使用Token令牌登陆,先来说说Token登陆;
在安装的时候,Dashboard已经自己建立了一个serviceaccount并创建在kube-system这个名称空间中,而k8s会自动为这个serviceaccount创建一个Token,放在secret中。这个Token有什么用呢?简单来讲,是方便POD中的容器去访问api-server的,这个Token信息,被作为volume挂载在容器上,当POD需要和api-server打交道时,会拿这个Token去验证自己的身份。当然,Token不仅仅能用于这个场景,拿去登陆Dashboard的WEBUI验证,也是没问题的。
既然k8s已经为我们创建了一个secret,并把Token放进去,我们只需要拿出来,登陆时,填进去就可以了。
查看kube-system名称空间中的secret信息
]# kubectl get secret -n kube-system
其中会看到有这条secret信息
kubernetes-dashboard-token-wgtl7后面的几位字母数字是随机的。每个人都不一样。
接下来用命令kubectl describe secret -n kube-system kubernetes-dashboard-token-wgtl7查看里面的内容,会看到其中有Token信息。
把Token信息复制出来,就可以拿去登陆了。
这里提醒一下,有人可能会有点疑问,如果抓包抓到了这段token信息,不就完蛋了吗?毕竟Token信息是携带在http报头当中。
别忘了,这是https传输~如果是http传输,抓包当然会抓到Token信息了,但https传输是经过加密的,以现在的技术来说,破解https还是不现实的。抓到的包都是经过加密的,要解密掉才能获得Token信息,如果使用暴力破解,Token密文可是挺长的,暴力破解也不是那么轻易的
使用配置文件登陆
如果每次使用Token登陆,可能有点麻烦,因为每次都需要复制来粘贴去,此时可以使用配置文件来登陆,
创建配置文件大概分为3步
