我想通过令牌登录新安装的kubernetes仪表板(k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0),但它不起作用。
我遇到的问题与How to log in to Kubernetes Dashboard UI with Service Account's token完全相同 但是我验证了我的令牌,它很合适。我也没有收到“身份验证失败...”错误。
当我输入令牌时,什么也没有发生,但是我在日志文件中看到新条目:
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 192.168.178.10:60092: { contents hidden }\n","stream":"stdout","time":"2018-12-07T14:59:49.655298186Z"}
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Outcoming response to 192.168.178.10:60092 with 200 status code\n","stream":"stdout","time":"2018-12-07T14:59:49.655840444Z"}
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Incoming HTTP/2.0 POST /api/v1/login request from 192.168.178.10:60092: { contents hidden }\n","stream":"stdout","time":"2018-12-07T14:59:49.665272088Z"}
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Outcoming response to 192.168.178.10:60092 with 200 status code\n","stream":"stdout","time":"2018-12-07T14:59:49.670318659Z"}
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 192.168.178.10:60092: {}\n","stream":"stdout","time":"2018-12-07T14:59:49.688294191Z"}
{"log":"2018/12/07 14:59:49 [2018-12-07T14:59:49Z] Outcoming response to 192.168.178.10:60092 with 200 status code\n","stream":"stdout","time":"2018-12-07T14:59:49.691135283Z"}
{"log":"2018/12/07 14:59:52 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.\n","stream":"stdout","time":"2018-12-07T14:59:52.237740364Z"}
我所做的:
kubectl create serviceaccount myservice
kubectl get serviceaccount myservice -o yaml
令牌:
TOKEN=$(echo "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltMTVjMlZ5ZG1salpTMTBiMnRsYmkxa09ISnlaQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG01aGJXVWlPaUp0ZVhObGNuWnBZMlVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUpoWWpFeVlUVmpOUzFtWVRKakxURXhaVGd0WVRZNE55MHdNRFV3TlRZNE9EZzRNak1pTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlpHVm1ZWFZzZERwdGVYTmxjblpwWTJVaWZRLm0yR2F4VmNsOTYzVkVjbUltb3dzY25aeWdrd2hQTTBlZmNjUnVoaGNmdlNWXzU5Y29wNkdMc2t0bTRtY1FqcjBnaWhzMTZXZjFrd1VkVjBlTFJNVE1zaWZudlQxR2J6Smd3ZURydTVMbHVteW5tY3Y3Sm1GVDFGLXpJSjI0SFRERVhlVTNtMV9OVjJHcUZHdTNmVTlxOVFscG44ZVRxR2FuNDZLdEM2OTZGUVBqbjFhVnRER28wMlVrU2NwVGRHckNkenFMUjFBT0ZMTXVyUWFjWldIbHlhTmZ4Sy02bU16aDBZdG1seHdfcEFSeVlySXJMVlR2dXlLeDRmQzRvWUx2elVia1pkWmp1eUlJWnFmYXVUMTFKQUFad243MHZyZW1xbVVHTXBsdXNaYVdiU2h3SlJkRWZmMzdjTEd3R3lwdU1SeXI2a3NsVlJiLW50eXdWbHYxQQ==" | base64 -d)
echo $TOKEN
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1kOHJyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhYjEyYTVjNS1mYTJjLTExZTgtYTY4Ny0wMDUwNTY4ODg4MjMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.m2GaxVcl963VEcmImowscnZygkwhPM0efccRuhhcfvSV_59cop6GLsktm4mcQjr0gihs16Wf1kwUdV0eLRMTMsifnvT1GbzJgweDru5Llumynmcv7JmFT1F-zIJ24HTDEXeU3m1_NV2GqFGu3fU9q9Qlpn8eTqGan46KtC696FQPjn1aVtDGo02UkScpTdGrCdzqLR1AOFLMurQacZWHlyaNfxK-6mMzh0Ytmlxw_pARyYrIrLVTvuyKx4fC4oYLvzUbkZdZjuyIIZqfauT11JAAZwn70vremqmUGMplusZaWbShwJRdEff37cLGwGypuMRyr6kslVRb-ntywVlv1A
我开始
kubectl proxy --port=9999 --address='192.168.178.10' --accept-hosts="^*$"
它仅可在localhost上运行(我不想安装浏览器或台式机)吗?
我还想知道,要使仪表板永久运行,就像在“ ctrl + c”后执行“ kubectl proxy”命令一样。
我找到了工作伙伴
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
运行此命令并在仪表板上“跳过”,我已经登录,但是如何摆脱这个用户,因为我再也无法通过它找到
kubectl get serviceaccounts --all-namespaces
也
kubectl get serviceaccounts -n kube-system
?
如何通过https运行它?
预先感谢 汤姆
答案 0 :(得分:1)
我在
上发现的所有问题的答案http://www.joseluisgomez.com/containers/kubernetes-dashboard/
不建议通过kubectl proxy访问进行生产性使用(不幸的是,它是kubernetes文档中唯一说明的方式)。
可以通过https开箱即用,但是还需要一些其他步骤。
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
您将获得kubecfg.p12,您必须从kubernetes master下载该文件并安装在客户端上(双击,下一步,下一步,下一步-建议使用Chrome浏览器)。
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
EOF
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
EOF
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy,选择“令牌”,然后输入您将从上一步获得的承载令牌,您就完成了。注意:关于群集的信息,您将通过kubectl cluster-info获得。