Kubernetes 대시 보드에 로그인하는 방법은 무엇입니까?
방금 kubeadm 및 kubelet을 v1.8.0으로 업그레이드했습니다. 그리고 공식 문서에 따라 대시 보드를 설치합니다 .
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
그 후 다음을 실행하여 대시 보드를 시작했습니다.
$ kubectl proxy --address="192.168.0.101" -p 8001 --accept-hosts='^*$'
다행히 http://192.168.0.101:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/를 통해 대시 보드에 액세스 할 수있었습니다.
이전에 만난 적이없는 이와 같은 로그인 페이지로 리디렉션되었습니다. 
두 가지 인증 방법이있는 것 같습니다.
/etc/kubernetes/admin.confkubeconfig 로 업로드하려고 했지만 실패했습니다. 그런 다음 kubeadm token list로그인 하기 위해받은 토큰을 사용하려고 했지만 다시 실패했습니다.
문제는 대시 보드에 로그인하는 방법입니다. 이전보다 많은 보안 메커니즘을 추가 한 것 같습니다. 감사.
버전 1.7부터 Dashboard는 더 안전한 설정을 사용합니다. 즉, 기본적으로 최소한의 권한 집합이 있으며 HTTPS를 통해서만 액세스 할 수 있습니다. 추가 단계를 수행하기 전에 액세스 제어 가이드 를 읽는 것이 좋습니다 .
릴리스 1.7부터 Dashboard는 다음을 기반으로 사용자 인증을 지원합니다.
- Dashboard 로그인보기 에서 사용할 수있는 Bearer Token 입니다 .
- 대시 보드 로그인보기 에서 사용할 수있는 사용자 이름 / 비밀번호 입니다 .
--- Github의 대시 보드
토큰
여기서 Token할 수있다 Static Token, Service Account Token, OpenID Connect Token에서 는 Kubernetes 인증하는 아닌 kubeadm Bootstrap Token.
kubectl을 사용하면 기본적으로 kubernetes에서 생성 된 서비스 계정 (예 : 배포 컨트롤러)을 얻을 수 있습니다.
$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME TYPE DATA AGE
deployment-controller-token-frsqj kubernetes.io/service-account-token 3 22h
$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name: deployment-controller-token-frsqj
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=deployment-controller
kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-sw-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g
Kubeconfig
User in kubeconfig file need either username & password or token, while admin.conf only have client-certificate.
$ kubectl config set-credentials cluster-admin --token=bearer_token
Alternative (Not recommended for Production)
Here are two ways to bypass the authentication, but use for caution.
Deploy dashboard with HTTP
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml
Dashboard can be loaded at http://localhost:8001/ui with kubectl proxy.
Granting admin privileges to Dashboard's Service Account
$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
Afterwards you can use Skip option on login page to access Dashboard.
If you are using dashboard version v1.10.1 or later, you must also add --enable-skip-login to the deployment's command line arguments. You can do so by adding it to the args in kubectl edit deployment/kubernetes-dashboard --namespace=kube-system.
Example:
containers:
- args:
- --auto-generate-certificates
- --enable-skip-login # <-- add this line
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
TL;DR
To get the token in a single oneliner:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'
This assumes that your ~/.kube/config is present and valid. And also that kubectl config get-contexts indicates that you are using the correct context (cluster and namespace) for the dashboard you are logging into.
Explanation
I derived this answer from what I learned from @silverfox's answer. That is a very informative write up. Unfortunately it falls short of telling you how to actually put the information into practice. Maybe I've been doing DevOps too long, but I think in shell. It's much more difficult for me to learn or teach in English.
Here is that oneliner with line breaks and indents for readability:
kubectl -n kube-system describe secret $(
kubectl -n kube-system get secret | \
awk '/^deployment-controller-token-/{print $1}'
) | \
awk '$1=="token:"{print $2}'
There are 4 distinct commands and they get called in this order:
- Line 2 - This is the first command from @silverfox's Token section.
- Line 3 - Print only the first field of the line beginning with
deployment-controller-token-(which is the pod name) - Line 1 - This is the second command from @silverfox's Token section.
- Line 5 - Print only the second field of the line whose first field is "token:"
If you don't want to grant admin permission to dashboard service account, you can create cluster admin service account.
$ kubectl create serviceaccount cluster-admin-dashboard-sa
$ kubectl create clusterrolebinding cluster-admin-dashboard-sa \
--clusterrole=cluster-admin \
--serviceaccount=default:cluster-admin-dashboard-sa
And then, you can use the token of just created cluster admin service account.
$ kubectl get secret | grep cluster-admin-dashboard-sa
cluster-admin-dashboard-sa-token-6xm8l kubernetes.io/service-account-token 3 18m
$ kubectl describe secret cluster-admin-dashboard-sa-token-6xm8l
I quoted it from giantswarm guide - https://docs.giantswarm.io/guides/install-kubernetes-dashboard/
Combining two answers: 49992698 and 47761914 :
# Create service account
kubectl create serviceaccount cluster-admin-dashboard-sa
# Bind ClusterAdmin role to the service account
kubectl create clusterrolebinding cluster-admin-dashboard-sa \
--clusterrole=cluster-admin \
--serviceaccount=default:cluster-admin-dashboard-sa
# Parse the token
TOKEN=$(kubectl describe secret $(kubectl -n kube-system get secret | awk '/^cluster-admin-dashboard-sa-token-/{print $1}') | awk '$1=="token:"{print $2}')
All the previous answers are good to me. But a straight forward answer on my side would come from https://github.com/kubernetes/dashboard/wiki/Creating-sample-user#bearer-token. Just use kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}'). You will have many values for some keys (Name, Namespace, Labels, ..., token). The most important is the token that corresponds to your name. copy that token and paste it in the token box. Hope this helps.
The skip login has been disabled by default due to security issues. https://github.com/kubernetes/dashboard/issues/2672
in your dashboard yaml add this arg
- --enable-skip-login
to get it back
A self-explanatory simple one-liner to extract token for kubernetes dashboard login.
kubectl describe secret -n kube-system | grep deployment -A 12
토큰을 복사하여 토큰 로그인 옵션 아래의 kubernetes 대시 보드에 붙여 넣으면 kubernetes 대시 보드를 사용하는 것이 좋습니다.
https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml 다운로드
더하다
type: NodePort for the Service
그리고 다음 명령을 실행합니다.
kubectl apply -f kubernetes-dashboard.yaml
다음 명령을 사용하여 노출 된 포트를 찾습니다.
kubectl get services -n kube-system
http : // hostname : exposedport / 에서 인증없이 대시 보드를 가져올 수 있어야 합니다.
참고 URL : https://stackoverflow.com/questions/46664104/how-to-sign-in-kubernetes-dashboard
'IT story' 카테고리의 다른 글
| Intent를 처리 할 활동이 없습니다. android.intent.action.VIEW (0) | 2020.09.10 |
|---|---|
| Python에서 하위 프로세스로 출력을 리디렉션하는 방법은 무엇입니까? (0) | 2020.09.10 |
| Nodejs : 객체를 복제하는 방법 (0) | 2020.09.10 |
| MongoDB는 모든 데이터베이스를 삭제합니다. (0) | 2020.09.10 |
| 자바 스크립트 함수를 재정의하는 방법 (0) | 2020.09.10 |