[kubernetes]step9-使用Helm部署 dashboard并设置普通用户登陆权限

￡神魔★判官ぃ 2023-07-06 13:28 12阅读 0赞

# 使用Helm部署 dashboard并设置普通用户登陆权限 #

近期发现dashboard2.0好像并不能完全使用这个方法创建

helm repo update

helm fetch stable/kubernetes-dashboard

tar zxvf kubernetes-dashboard-1.10.1.tgz

cd kubernetes-dashboard

**创建kubernetes-dashboard.yaml：**

image:
      repository: k8s.gcr.io/kubernetes-dashboard-amd64
      tag: v1.10.1
    ingress:
      enabled: true
      hosts:
        - k8s.aircourses.com
      annotations:
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      tls:
      # https证书的secret需要先自行创建好
        - secretName: aircourses
          hosts:
          - k8s.aircourses.com
    rbac:
      clusterAdminRole: true

helm install stable/kubernetes-dashboard -n kubernetes-dashboard --namespace kube-system  -f kubernetes-dashboard.yaml

![format_png][]

kubectl  edit svc kubernetes-dashboard -n kube-system
    # 修改 ClusterIP 为 NodePort

![format_png 1][]

建议使用火狐打开

![format_png 2][]

# 获取secret名称
    kubectl -n kube-system get secret | grep kubernetes-dashboard-token 
    # 根据获得的secret名称获取token
    kubectl  describe secret kubernetes-dashboard-token-xxx -n kube-system

![format_png 3][]

## 限制dashboard 用户权限 ##

有了上面的理论基础，我们就可以来新建一个用户，为该用户指定特定的访问权限了，比如我们的需求是：

*  新增一个新的用户`dev`
 *  该用户只能对命名空间`kube-system`下面的`pods`和`deployments`进行管理

第一步新建一个`ServiceAccount`：

kubectl delete sa dev -n default
    kubectl create sa dev -n default
    #kubectl delete sa dev -n default

然后我们新建一个角色**role-dev**：(role.yaml)

kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: role-dev
    rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    - apiGroups: ["extensions", "apps"]
      resources: ["deployments"]
      verbs: ["get", "watch", "list"]
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    - apiGroups: [""]
      resources: ["pods/log"]
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

注意上面的`rules`规则：管理`pods`和`deployments`的权限。

然后我们创建一个角色绑定，将上面的角色`role-dev`绑定到**dev**的`ServiceAccount`上：(role-bind.yaml)

kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: role-bind-dev
      namespace: default
    subjects:
    - kind: ServiceAccount
      name: dev
      namespace: default
    roleRef:
      kind: Role
      name: role-dev
      apiGroup: rbac.authorization.k8s.io

分别执行上面两个`yaml`文件：

kubectl create -f role.yaml
    kubectl create -f role-bind.yaml

接下来该怎么做？和前面一样的，我们只需要拿到`dev`这个`ServiceAccount`的`token`就可以登录`Dashboard`了：

kubectl get secret -n default |grep dev-token
    kubectl  describe secret  -n default dev-token-bnwn4
    
    token_name=`kubectl get secret -n default |grep dev-token |awk '{print $1}'`
    secret=`kubectl  describe secret  -n default $token_name|grep "token:" |awk -F":" '{print $NF}'`
    echo $secret 
    # 会生成一串很长的字符串

然后在`dashboard`登录页面上直接使用上面得到的`token`字符串即可登录，登录过后能看到下面的页面。

不同的密钥 登陆的界面

![format_png 4][]

普通用户登陆的时候只能显示 自己的namespace 不是开通的所有权限 所以会有警告

![format_png 5][]

开发只要满足 删除pod 更新pod 进入容器 日志功能 应该足够了

![format_png 6][]

![format_png 7][]

自带的日志。可能没有直接进去直观，或者使用kibana 展示。

![format_png 8][]

1、获取dev的tocken
    
    kubectl get secret -n default |grep dev-token
    token_name=`kubectl get secret -n default |grep dev-token |awk '{print $1}'`
    secret=`kubectl  describe secret  -n default $token_name|grep "token:" |awk -F":" '{print $NF}'`
    echo $secret 
    # 会生成一串很长的字符串  在dashboard后台使用tocken（令牌）方式登录即可
    
    2、生成kubeconfig文件
    
    
    kubectl config set-cluster kubernetes --server=120.26.145.93:6443 --kubeconfig=/tmp/dashbord-dev.conf
    
    # 这里的scret参数需要替换成上面获取到的登陆的token值
    kubectl config set-credentials dashboard-dev --token="$secret" --kubeconfig=/tmp/dashbord-dev.conf
    
    kubectl config set-context dashboard-dev@kubernetes --cluster=kubernetes --user=dashboard-dev --kubeconfig=/tmp/dashbord-dev.conf
    
    # 网上大多数教程 这一步都是错的。。。。
    # kubectl config user-context dashboard-admin@kubernets --kubeconfig=/root/dashbord-admin.conf
    kubectl config use-context dashboard-dev@kubernetes  --kubeconfig=/tmp/dashbord-dev.conf
    生成的/tmp/dashbord-dev.conf即可用于登录dashboard

生成测试的conf 进行登陆测试

![format_png 9][]

![format_png 10][]

dashboard权限可参考

https://blog.csdn.net/yjh314/article/details/80942232?utm\_source=blogxgwz2

[format_png]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMTI5MTMxNzU0LnBuZw?x-oss-process=image/format,png
[format_png 1]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMTI5MTMyNzM1LnBuZw?x-oss-process=image/format,png
[format_png 2]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMTI5MTMyNjQ0LnBuZw?x-oss-process=image/format,png
[format_png 3]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMTI5MTMzNDU2LnBuZw?x-oss-process=image/format,png
[format_png 4]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MTUxMDM4LnBuZw?x-oss-process=image/format,png
[format_png 5]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MTYyMjIxLnBuZw?x-oss-process=image/format,png
[format_png 6]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MTYyMTU5LnBuZw?x-oss-process=image/format,png
[format_png 7]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MTYyNDEyLnBuZw?x-oss-process=image/format,png
[format_png 8]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MTYyMjUzLnBuZw?x-oss-process=image/format,png
[format_png 9]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MjMyMzM0LnBuZw?x-oss-process=image/format,png
[format_png 10]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vamlhbWlueHUvQmxvZ0ltYWdlL3Jhdy9tYXN0ZXIvaW1nLzIwMjAwMjE3MjMyMzEzLnBuZw?x-oss-process=image/format,png