部署
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
kubectl edit 换镜像,添加参数增加跳过按钮
spec:
containers:
- args:
- --auto-generate-certificates
- --enable-skip-login
image: registry.cn-hangzhou.aliyuncs.com/xiangxiaoc/kubernetes-dashboard-amd64:v1.10.1
创建 Dashiboard 管理员用户
vim dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
kubectl apply -f dashboard-adminuser.yaml
查看令牌(token)
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
创建 Dashiboard 管理员只读用户
vim dashboard-viewer.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-viewer
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin-view
subjects:
- kind: ServiceAccount
name: dashboard-viewer
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin-view
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- nonResourceURLs:
- '*'
verbs:
- get
- list
- watch
# 执行 exec -ti bash 方便
- apiGroups:
- '*'
resources:
- 'pods/exec'
verbs:
- create
kubectl apply -f dashboard-viewer.yaml
查看令牌(token)
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep dashboard-viewer | awk '{print $1}')
给 kubernetes-dashboard 账户附加权限
可以跳过的那个默认账户绑定到 kubernetes-dashboard-developer 角色中,kubernetes-dashboard-developer 的权限如下配置
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: kubernetes-dashboard-developer
rules:
- apiGroups: [""]
resources: ["namespaces","resourcequotas","limitranges","nodes","persistentvolumes","configmaps","persistentvolumeclaims","services","endpoints","pods","events","replicationcontrollers"]
verbs:
- list
- get
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles","clusterroles"]
verbs:
- list
- get
- apiGroups: ["apps","batch"]
resources: ["deployments","replicasets","statefulsets","daemonsets","jobs","cronjobs"]
verbs:
- list
- get
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs:
- list
- get
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs:
- list
- get
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-developer
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
Google浏览器访问 自签发 https
badidea thisisunsafe
若有收获,就点个赞吧
0 人点赞
