详细分析用Kubeconfig或者Token登录的方式

创建管理员用户

1
2
3
4
5
6
➜  kubernetes  kubectl patch svc -n kube-system kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
service/kubernetes-dashboard patched
➜ kubernetes kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
➜ kubernetes kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created

确定NAME

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
➜  kubernetes  kubectl get secret -n=kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-jxx56 kubernetes.io/service-account-token 3 5d3h
bootstrap-signer-token-9hb7w kubernetes.io/service-account-token 3 5d3h
certificate-controller-token-m8mpc kubernetes.io/service-account-token 3 5d3h
clusterrole-aggregation-controller-token-sb7dv kubernetes.io/service-account-token 3 5d3h
coredns-token-tdchv kubernetes.io/service-account-token 3 5d3h
cronjob-controller-token-2f79z kubernetes.io/service-account-token 3 5d3h
daemon-set-controller-token-svzw7 kubernetes.io/service-account-token 3 5d3h
dashboard-admin-token-mwjwf kubernetes.io/service-account-token 3 61s
default-token-sznp4 kubernetes.io/service-account-token 3 5d3h
deployment-controller-token-qdh74 kubernetes.io/service-account-token 3 5d3h
disruption-controller-token-hd7sb kubernetes.io/service-account-token 3 5d3h
endpoint-controller-token-wnnrr kubernetes.io/service-account-token 3 5d3h
expand-controller-token-jc8ls kubernetes.io/service-account-token 3 5d3h
generic-garbage-collector-token-x2p5z kubernetes.io/service-account-token 3 5d3h
horizontal-pod-autoscaler-token-vf4kn kubernetes.io/service-account-token 3 5d3h
job-controller-token-mtz64 kubernetes.io/service-account-token 3 5d3h
kube-proxy-token-6xgld kubernetes.io/service-account-token 3 5d3h
kubernetes-dashboard-certs Opaque 0 5d3h
kubernetes-dashboard-key-holder Opaque 2 5d3h
kubernetes-dashboard-token-lx9kx kubernetes.io/service-account-token 3 5d3h
namespace-controller-token-8scnl kubernetes.io/service-account-token 3 5d3h
node-controller-token-rh4fk kubernetes.io/service-account-token 3 5d3h
persistent-volume-binder-token-xhwzv kubernetes.io/service-account-token 3 5d3h
pod-garbage-collector-token-7wtzh kubernetes.io/service-account-token 3 5d3h
pv-protection-controller-token-9nqsb kubernetes.io/service-account-token 3 5d3h
pvc-protection-controller-token-59kcr kubernetes.io/service-account-token 3 5d3h
replicaset-controller-token-pq8q9 kubernetes.io/service-account-token 3 5d3h
replication-controller-token-tp9zd kubernetes.io/service-account-token 3 5d3h
resourcequota-controller-token-wm4j6 kubernetes.io/service-account-token 3 5d3h
service-account-controller-token-g2h2r kubernetes.io/service-account-token 3 5d3h
service-controller-token-7qrks kubernetes.io/service-account-token 3 5d3h
statefulset-controller-token-gcrtq kubernetes.io/service-account-token 3 5d3h
token-cleaner-token-swg2m kubernetes.io/service-account-token 3 5d3h
ttl-controller-token-tgwnf kubernetes.io/service-account-token 3 5d3h

获取TOKEN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜  kubernetes  kubectl describe secret -n=kube-system dashboard-admin-token-mwjwf
Name: dashboard-admin-token-mwjwf
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 0c547a29-f000-11e9-a91a-025000000001

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbXdqd2YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGM1NDdhMjktZjAwMC0xMWU5LWE5MWEtMDI1MDAwMDAwMDAxIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.cvbCJYR98zNWQeRjW4QmEqVPKD4CxL5EpR7bwEfCZqU_hJiNIKJubIGYWAkbB47waEBFOgIU9Aj98BGqtIAki-eL_kZFVYDIrQGzYQHZVngmCcUwG0u_PKazH9bgU_sfsw9t2_FZv-pD8aiVpGXtbS9EFWpf-VTIrZS-CSlTp0LEgPZLir8Jp_T3X4sbBfgtMbHTzkbz8WCvL_SeWxRIf7o-hLY703KNU4hkbNUxhC2ur73Irp3dSpgyANrS3G3cQjM1Uinh7pJl1ay-gRd0jPCwcZxUW3XKfLqS2-vwIpnYZ_j26Dj9oqDChAIxhK2T6VfBOdpp93AlXzT3_0VSYQ

生成Kubeconfig文件

1
2
3
4
5
6
7
8
9
➜  kubernetes  DASH_TOCKEN=$(kubectl get secret -n kube-system dashboard-admin-token-mwjwf -o jsonpath={.data.token}|base64 -D)
➜ kubernetes kubectl config set-cluster kubernetes --server=https://kubernetes.docker.internal:6443 --kubeconfig=/Users/chenyuan/Tools/Docker/kubernetes/dashbord-admin.conf
Cluster "kubernetes" set.
➜ kubernetes kubectl config set-credentials dashboard-admin --token=$DASH_TOCKEN --kubeconfig=/Users/chenyuan/Tools/Docker/kubernetes/dashbord-admin.conf
User "dashboard-admin" set.
➜ kubernetes kubectl config set-context dashboard-admin@kubernetes --cluster=kubernetes --user=dashboard-admin --kubeconfig=/Users/chenyuan/Tools/Docker/kubernetes/dashbord-admin.conf
Context "dashboard-admin@kubernetes" created.
➜ kubernetes kubectl config use-context dashboard-admin@kubernetes --kubeconfig=/Users/chenyuan/Tools/Docker/kubernetes/dashbord-admin.conf
Switched to context "dashboard-admin@kubernetes".

启动服务验证

1
2
3
kubectl proxy --address='0.0.0.0'  --accept-hosts='^*$'  

访问:http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

http://static.cyblogs.com/WX20191016-190028@2x.png

如果大家喜欢我的文章,可以关注个人订阅号。欢迎随时留言、交流。

简栈文化服务订阅号