k8s Dashboard基于用户名密码认证

基本说明

  在生产环境使用k8s以后,大部分应用都实现了高可用,不仅降低了维护成本,也简化了很多应用的部署成本,但是同时也带来了诸多问题。比如开发可能需要查看自己的应用状态、连接信息、日志、执行命令等。

  使用k8s后,业务应用以Pod为单位,不像之前的以服务器为单位,可以直接通过登录服务器进行相关操作。当业务应用使用k8s部署后,k8s官方的dashboard虽然可以进行查看日志、执行命令等基本操作,但是作为运维人员,不想让开发操作或查看自己范围之外的Pod,此时就要使用RBAC进行相关的权限配置。

 

k8s版本

[root@master02 ~]# kubectl get nodes
NAME       STATUS   ROLES   AGE   VERSION
master01   Ready   master   14d   v1.19.16
master02   Ready   master   14d   v1.19.16
master03   Ready   master   14d   v1.19.16
node01     Ready   <none>   13d   v1.19.16
node02     Ready   <none>   13d   v1.19.16

 

 

更改Dashboard认证方式

ClusterRole: Namepasce只读、容器日志查看权限、容器命令执行权限、容器删除权限,这四个最为常用的权限

 

master节点操作

1.修改master节点 kube-apiserver
[root@master02 ~]# vi /etc/kubernetes/cfg/kube-apiserver.conf  
--token-auth-file=/etc/kubernetes/basic_auth_file \  #在启动参数配置文件加上这个,加在末尾,要不然可能会出bug
#--basic-auth-file 大概于1.7版本停用,更新为--token-auth-file


2.修改kubernetes-dashboard命名空间下的Deployment,   kubernetes-dashboard
[root@master02 ~]# kubectl edit deployment -n kubernetes-dashboard kubernetes-dashboard
  spec:
    affinity: {}
    containers:
     - args:
       - --auto-generate-certificates
       - --namespace=kubernetes-dashboard
       - --authentication-mode=basic# 加上这个
   
3.创建用户名密码配置文件。
[root@master02 ~]# cat /etc/kubernetes/basic_auth_file
test1,test1,3,"system:authentication"
test2,test2,4,"system:authentication"
test3,test3,5,"system:authentication"
test4,test4,6,"system:authentication"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
  rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
  kubernetes.io/bootstrapping: rbac-defaults
  rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: ratel-namespace-readonly
rules:
- apiGroups:
 - ""
resources:
 - namespaces
verbs:
 - get
 - list
 - watch
- apiGroups:
 - metrics.k8s.io
resources:
 - pods
verbs:
 - get
 - list
 - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ratel-namespace-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authentication
 #保存下来然后kubectl apply -f
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-resource-readonly
rules:
- apiGroups:
 - ""
resources:
 - configmaps
 - endpoints
 - persistentvolumeclaims
 - pods
 - replicationcontrollers
 - replicationcontrollers/scale
 - serviceaccounts
 - services
verbs:
 - get
 - list
 - watch
- apiGroups:
 - ""
resources:
 - bindings
 - events
 - limitranges
 - namespaces/status
 - pods/log
 - pods/status
 - replicationcontrollers/status
 - resourcequotas
 - resourcequotas/status
verbs:
 - get
 - list
 - watch
- apiGroups:
 - ""
resources:
 - namespaces
verbs:
 - get
 - list
 - watch
- apiGroups:
 - apps
resources:
 - controllerrevisions
 - daemonsets
 - deployments
 - deployments/scale
 - replicasets
 - replicasets/scale
 - statefulsets
 - statefulsets/scale
verbs:
 - get
 - list
 - watch
- apiGroups:
 - autoscaling
resources:
 - horizontalpodautoscalers
verbs:
 - get
 - list
 - watch
- apiGroups:
 - batch
resources:
 - cronjobs
 - jobs
verbs:
 - get
 - list
 - watch
- apiGroups:
 - extensions
resources:
 - daemonsets
 - deployments
 - deployments/scale
 - ingresses
 - networkpolicies
 - replicasets
 - replicasets/scale
 - replicationcontrollers/scale
verbs:
 - get
 - list
 - watch
- apiGroups:
 - policy
resources:
 - poddisruptionbudgets
verbs:
 - get
 - list
 - watch
- apiGroups:
 - networking.k8s.io
resources:
 - networkpolicies
verbs:
 - get
 - list
 - watch
- apiGroups:
 - metrics.k8s.io
resources:
 - pods
verbs:
 - get
 - list
 - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-exec
rules:
- apiGroups:
 - ""
resources:
 - pods
 - pods/log
verbs:
 - get
 - list
- apiGroups:
 - ""
resources:
 - pods/exec
verbs:
 - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-delete
rules:
- apiGroups:
 - ""
resources:
 - pods
verbs:
 - get
 - list
 - delete
 #保存下来 然后kubectl create -f
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:39Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:39Z"
  name: ratel-pod-delete-test1
  namespace: default
  resourceVersion: "1061269"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-test1
  uid: 6c8817db-116c-4355-9b5f-4ed8cab4a0a4
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-delete
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:39Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:39Z"
  name: ratel-pod-exec-test1
  namespace: default
  resourceVersion: "1061268"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-test1
  uid: 5d831581-cc54-4ca2-b097-702f501593f5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:38Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:38Z"
  name: ratel-resource-readonly-test1
  namespace: default
  resourceVersion: "1061267"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-test1
  uid: 9bcb54cf-1023-4a15-9c20-22d69a312f70
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-resource-readonly
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
kind: List
metadata:
resourceVersion: ""
selfLink: ""

 

使用serviceaccount

 

 

 

 

 

上一篇:1.2 - login页注意事项


下一篇:第二十章 kubernetes核心技术-集群安全机制