Previously, we learned about the use of plug-ins related to access control, the third level of access control of k8s. For review, please refer to:https://www.cnblogs.com/qiuhom-1874/p/14220402.html; Today, let’s learn about k8s the installation of Web UI components and user authorization;
The Web UI of k8s is a plug-in that runs on k8s and provides services in the form of pod; It can provide a web panel for k8s users. We can manage k8s clusters based on this web panel; For example, create a pod, create an SVC, deploy an application, and so on; Before deployment, let’s talk about the dashboard authentication process; The dashboard runs on k8s in the form of pod. It does not perform the functions related to access authority authentication. It only proxies the user’s authentication information to the k8s cluster. The specific authentication and authorization is still carried out by the apiserver of k8s; Therefore, we must log in to the dashboard as a user on k8s; Secondly, it proxies our authentication information to apiserver in the form of pod, so the user who logs in to dashboard must be an SA user, which does not support regular users; In short, dashboard is a proxy service; It proxies all our operations to apiserver through HTTPS protocol to do corresponding operations; Dashboard is a multi-user plug-in, which supports multiple users to log in to the dashboard at the same time with different identities to operate; For dashboard itself, it is a web service running in the form of pod on k8s. We can publish it through ingrss or service; Select one of the methods;
Preparation before dashboard deployment
The external service provided by the dashboard is an HTTPS service. If we need to publish it outside the cluster for Internet access, we need to load the certificate of the corresponding domain name into k8s with the secret resource, and then reference the corresponding secret when deploying the dashboard;
Generate the private key, sign the certificate request file CSR, and then send it to the corresponding CA for signing (if the certificates of the corresponding domain name are applied, skip this step directly)
[[email protected] ~]# mkdir dashboard
[[email protected] ~]# cd dashboard
[[email protected] dashboard]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
..................+++
e is 65537 (0x10001)
[[email protected] dashboard]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=test/CN=webui.test.com"
[[email protected] dashboard]# ll
total 8
-rw-r--r-- 1 root root 920 Jan 2 14:00 dashboard.csr
-rw-r--r-- 1 root root 1679 Jan 2 13:59 dashboard.key
[[email protected] dashboard]#
Use a CA to sign the corresponding certificate signing request file. Here, I directly use the CA signature on k8s
[[email protected] dashboard]# openssl x509 -req -in dashboard.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dashboard.crt -days 3650
Signature ok
subject=/O=test/CN=webui.test.com
Getting CA Private Key
[[email protected] dashboard]# ll
total 12
-rw-r--r-- 1 root root 1005 Jan 2 14:04 dashboard.crt
-rw-r--r-- 1 root root 920 Jan 2 14:00 dashboard.csr
-rw-r--r-- 1 root root 1679 Jan 2 13:59 dashboard.key
[[email protected] dashboard]#
Tip: normally, find a Ca on the Internet to sign. The certificate is only used to use the corresponding domain name to access the dashboard on the browser through HTTPS;
Download the deployment manifest and view the namespace in the corresponding manifest and the name of the corresponding secret
[[email protected] dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
--2021-01-02 14:14:48-- https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.28.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.28.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7552 (7.4K) [text/plain]
Saving to: ‘recommended.yaml’
100%[=========================================================================>] 7,552 3.08KB/s in 2.4s
2021-01-02 14:14:52 (3.08 KB/s) - ‘recommended.yaml’ saved [7552/7552]
[[email protected] dashboard]# ls
dashboard.crt dashboard.csr dashboard.key recommended.yaml
[[email protected] dashboard]#
Tip: the above is the secret resource name and corresponding namespace in the deployment list of dashboard. If we need to manually replace our own certificate, we must make the corresponding certificate into a secret resource with the same type and name as the same namespace in the deployment list in advance;
Create the kubenetes dashboard namespace and put the dashboard CRT and dashboard The key is mapped to a secret resource of type generic under the kubenetes dashboard namespace on k8s
[[email protected] dashboard]# kubectl create ns kubernetes-dashboard
namespace/kubernetes-dashboard created
[[email protected] dashboard]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt --from-file=dashboard.key -n kubernetes-dashboard
secret/kubernetes-dashboard-certs created
[[email protected] dashboard]# kubectl get secret -n kubernetes-dashboard
NAME TYPE DATA AGE
default-token-vcw5h kubernetes.io/service-account-token 3 2m31s
kubernetes-dashboard-certs Opaque 2 12s
[[email protected] dashboard]#
Application dashboard deployment resource list
[[email protected] dashboard]# kubectl apply -f recommended.yaml
Warning: resource namespaces/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
namespace/kubernetes-dashboard configured
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
Warning: resource secrets/kubernetes-dashboard-certs is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/kubernetes-dashboard-certs configured
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[[email protected] dashboard]#
Edit the configuration of the corresponding service online and change the clusterip type to nodeport type
Tip: change to nodeport type service, and clients outside the corresponding cluster can access it normally;
Check whether the pod under the corresponding namespace is started?
[[email protected] ~]# kubectl get all -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-79c5968bdc-tc79t 1/1 Running 0 6m56s
pod/kubernetes-dashboard-7448ffc97b-v98gk 1/1 Running 0 6m56s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.103.202.122 8000/TCP 6m56s
service/kubernetes-dashboard NodePort 10.108.57.122 443:31635/TCP 6m57s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/dashboard-metrics-scraper 1/1 1 1 6m56s
deployment.apps/kubernetes-dashboard 1/1 1 1 6m56s
NAME DESIRED CURRENT READY AGE
replicaset.apps/dashboard-metrics-scraper-79c5968bdc 1 1 1 6m56s
replicaset.apps/kubernetes-dashboard-7448ffc97b 1 1 1 6m56s
[[email protected] ~]#Tip: you can see that the corresponding resources are running. The exposed port of the corresponding service is port 34635. We can access the dashboard by accessing port 31635 of any node in the k8s cluster. If you use domain name access, please note that the corresponding domain name should be resolved to the IP of any node in the corresponding k8s cluster;
Access dashboard
Tip: HTTPS should be used here because the corresponding service is the HTTPS service provided; We are reminded that the certificate is not secure because the corresponding certificate is not issued by a CA recognized by the browser, so we need to trust it manually;
Tip: if you can see the above page, it means that the dashboard is running. Next, we need to create an account to log in to the dashboard;
Create an SA account
[[email protected] ~]# kubectl create serviceaccount webui-cluster-admin -n kubernetes-dashboard
serviceaccount/webui-cluster-admin created
[[email protected] ~]# kubectl get sa -n kubernetes-dashboard
NAME SECRETS AGE
default 1 29m
kubernetes-dashboard 1 17m
webui-cluster-admin 1 11s
[[email protected] ~]# kubectl describe sa webui-cluster-admin -n kubernetes-dashboard
Name: webui-cluster-admin
Namespace: kubernetes-dashboard
Labels:
Annotations:
Image pull secrets:
Mountable secrets: webui-cluster-admin-token-bxl2z
Tokens: webui-cluster-admin-token-bxl2z
Events:
[[email protected] ~]#Authorize the corresponding SA account to the cluster admin role
[[email protected] ~]# kubectl create clusterrolebinding webui-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:webui-cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/webui-cluster-admin created
[[email protected] ~]# kubectl get clusterrolebinding |grep webui
webui-cluster-admin ClusterRole/cluster-admin 41s
[[email protected] ~]# kubectl describe clusterrolebinding webui-cluster-admin
Name: webui-cluster-admin
Labels:
Annotations:
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount webui-cluster-admin kubernetes-dashboard
[[email protected] ~]#Tip: when specifying serviceaccount, you need to specify the namespace of the corresponding SA and the name of the corresponding SA with “:;
Log in to the dashboard using the token in the secret corresponding to the SA account above
Log in to Dashboard
Tip: by default, you log in to the dashboard in the default namespace. You can select the above namespace to view the resources under the corresponding namespace;
Create an administrator under a namespace
[[email protected] ~]# kubectl create serviceaccount myns-admin -n myns
serviceaccount/myns-admin created
[[email protected] ~]# kubectl create rolebinding myns-admin --clusterrole=admin --serviceaccount=myns:myns-admin -n myns
rolebinding.rbac.authorization.k8s.io/myns-admin created
[[email protected] ~]#
Tip: rolebinding needs to specify a namespace. Otherwise, the default namespace is not specified;
View the token of the corresponding account
[[email protected] ~]# kubectl describe sa -n myns
Name: default
Namespace: myns
Labels:
Annotations:
Image pull secrets:
Mountable secrets: default-token-n6tg5
Tokens: default-token-n6tg5
Events:
Name: myns-admin
Namespace: myns
Labels:
Annotations:
Image pull secrets:
Mountable secrets: myns-admin-token-p6gh8
Tokens: myns-admin-token-p6gh8
Events:
[[email protected] ~]# kubectl describe secret myns-admin-token-p6gh8 -n myns
Name: myns-admin-token-p6gh8
Namespace: myns
Labels:
Annotations: kubernetes.io/service-account.name: myns-admin
kubernetes.io/service-account.uid: ebaed1a9-4631-42cb-8af9-a14fa35a7098
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15bnMtYWRtaW4tdG9rZW4tcDZnaDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibXlucy1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImViYWVkMWE5LTQ2MzEtNDJjYi04YWY5LWExNGZhMzVhNzA5OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpteW5zOm15bnMtYWRtaW4ifQ.JuZ9WsojEfJai-Z1uLH7AIS-kLyqqln9POzEEoV_RTBKGO4NbtDJwMOw3z4SVeLwdCSiBefh-pD03DCnHmZ-HunrUPXBix2iKRgD42fkQ2L8cZzl8LGEw88jK5mUpSOF2si0wibc1cn7Gtrc5LqMiVtOgLoBMhEXaX2_RDUXj0Q8FtNb_srIcjQe__gXsMGmXxhHuU629IVk7fM99FvHzlDOyLj4goaydMw7F9-JFpL3I-ll2lq46goKDEwB2pMEz_qvsVFHvILNzg318TilMSK4VeMpKUbje6eovvs2IYSMCfVRBtvlpsv3KixYONai1AvYRQz_iISwKzI5JWO4hw
[[email protected] ~]#Log in to the dashboard using the corresponding token
Tip: the default login name space is default, and the corresponding account does not have permission, so it will prompt us that we do not have permission to view resources under the current namespace;
Switch to myns namespace
Tip: at this point, the corresponding user can manage the response under the myns namespace;
Create kubeconfig file and log in to Dashboard
[[email protected] ~]# kubectl config set-cluster mykube --server="https://192.168.0.41:6443" --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/test-mykube.config
Cluster "mykube" set.
[[email protected] ~]# kubectl config set-credentials webui-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ3ZWJ1aS1jbHVzdGVyLWFkbWluLXRva2VuLWJ4bDJ6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6IndlYnVpLWNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NDYwNWFhMi1kZmI1LTRlZjItYTQ3NC0yMzczOGUwZmNjZDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6d2VidWktY2x1c3Rlci1hZG1pbiJ9.lIEEMbIyYDlWXxG_xSWcY595Ai3yCYTAKEYQVwybysBfNTM9ksJOhqep9M9PF6bfUGIpbFr-Y75gvAmOprrYICv-W7RKUQxMq1s_9mIY7ATlWh3xiPOjYoT9K7JWXNpFOPsl9eEOY2j_VJE7hK_7mzMg7ASPTWEbQS1YkXvoBh3nG_SDBbKgqs-SiQ5_yhx0QFK-PSdFUiBhGRq_TvqbrmZeAi1lJ6tNODcUW7zikSwO53wQDJHgjdYiYHhqm0O3GysBYp6JzgkryXdmjLri6NXvWV9qTc201SL7xrF6S09vSFQaox479r5A5qat9DJn0qq4YEUFKXzweuyxjJfdwA --kubeconfig=/tmp/test-mykube.config
User "webui-admin" set.
[[email protected] ~]# kubectl config set-context [email protected] --cluster=mykube --user=webui-admin --kubeconfig=/tmp/test-mykube.config
Context "[email protected]" created.
[[email protected] ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.0.41:6443
name: mykube
contexts:
- context:
cluster: mykube
user: webui-admin
name: [email protected]
current-context: ""
kind: Config
preferences: {}
users:
- name: webui-admin
user:
token: REDACTED
[[email protected] ~]# kubectl config use-context [email protected] --kubeconfig=/tmp/test-mykube.config
Switched to context "[email protected]".
[[email protected] ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.0.41:6443
name: mykube
contexts:
- context:
cluster: mykube
user: webui-admin
name: [email protected]
current-context: [email protected]
kind: Config
preferences: {}
users:
- name: webui-admin
user:
token: REDACTED
[[email protected] ~]#
Tip: when setting the user, select the token information of the corresponding user;
Export the corresponding configuration file and log in to the dashboard with the corresponding file on the browser
Tip: at this time, the user logged in to dashboard is the SA user corresponding to the token in the corresponding configuration file; Here, the dashboard is set up..