在前面的文章中,我們介紹了兩種創建Dashboard服務的方法,但是兩種方法登錄之後都缺乏權限,因爲官方推薦的設定文件中創建的service account的權限不足,這篇文章繼續介紹如何綁定就有管理權限的用戶登錄Dashboard。
環境準備
使用如下方式進行Dashboard的環境準備:
- 自動證書生成方式:https://liumiaocn.blog.csdn.net/article/details/104144132
- 外部證書指定方式:https://liumiaocn.blog.csdn.net/article/details/104146361
具有集羣管理權限的用戶
創建一個名爲dashboard-admin的具有集羣管理權限的用戶,設定信息如下所示:
[root@host131 tmp]# cat dashboard-admin.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
...
[root@host131 tmp]#
創建用戶,執行示例日誌如下所示
[root@host131 tmp]# kubectl apply -f dashboard-admin.yml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@host131 tmp]#
獲取token
使用如下命令獲取token:
執行命令:kubectl -n kubernetes-dashboard get secret -o jsonpath=’{range .items[?(@.metadata.annotations.kubernetes.io/service-account.name==“dashboard-admin”)].data}{.token}{end}’ | base64 -d
執行日誌如下所示:
[root@host131 tmp]# kubectl -n kubernetes-dashboard get secret -o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="dashboard-admin")].data}{.token}{end}' | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikt5aFRwRXR6M1hMLU5GTjg0M0R1LTNfNTZLOVNhVUxZd1BSZW9HNGJrMVEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4ta3hkYjkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTRlZGNjZmYtYzY3My00ODkwLTk3MTctNjhkODIzYjI0YzA3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.ehELY1eO5Y-_6DQd2tbx4DZQF7TQV6LuBgInZ0IGhbMUbD5BZ7YP_VNj2SDIVLLgxxYPgewy3CVnDKgkbmVWM746lq6WOT69r7TQE_zBn7Jj8I1ouuRmulR8oKIBf62q9F1NP8fhNe4G97IZivWRBlFuuTKmFzqkrPknSlgwtg4qjyAmFzFjKCSO_KOEh8YrlFrRFmdOvqC3D1B9IwoYO5qmbrTiePbBVgrLBu5ed9GN8aDJle7Pf4GSzXHtlydsVBJgPvtIvioxueWCVJQoEOaNs1Fs0gatwe-22-3-D-BXdSOF260B5qVPMTjgd2zIsv4b8V-Jm2vITu00ycmZaw[root@host131 tmp]#
登錄確認
使用token方式登錄後,可看到如下信息:
確認全namespace的整體信息
Pod的資源使用率仍然沒有獲取到,因爲Metrics Server等尚未啓動
但是可以看到,具有權限的用戶已經可以開始使用Dashboard進行整個集羣的狀態確認了
