kubernetes认证,对接第三方认证系统,对接github认证
概述
本文介绍如何使用github账户去关联自己kubernetes账户。达到如下效果:
- 使用github用户email作为kubernetes用户,如fhtjob@hotmail.com
- 创建对应的clusterrole绑定给fhtjob@hotmail.com这个用户
- 给fhtjob@hotmail这个用户创 建一个kubeconfig文件,让改用户可以使用kubectl命令操作集群,且只有部分权限
dex介绍
dex 是一个统一认证的服务,支持各种认证协议如Ouath2 ldap等,自己可以作为一个identity provider,也可以连到别的id provider(如github)上,dex作为一个中间代理.
流程
http://47.52.197.163:5555 http://47.52.197.163:32000 人(浏览器) dex client dex server github kubectl kubernetes server | login(scope) | | | | | |------1-------->| | | | | | |----------2------------->| | | | | | |----------3----------->| | | | | | id_token | | | | | |<---------4------------| callback | | | id_token |<----------5-------------|callback | | | |<-------6-------| | | | | | | | | id_token | | |------------------------------------------------7-------------------------------------------->| id_token | | | | | |----------8------------>| | | | | | | valid? | | | | | | expired? | | | | | | user Authorized? | | | | |<---------9-------------| X<----------------------------------------------10---------------------------------------------| | | | | | | | | | | | | | | | | | | |
- scope: 你需要哪些信息,如邮箱,openid,用户名等
- id_token: 加密后的你需要的信息
- dex client: dex的客户端,比如可以是我们自己写的管理的服务端,会去调用第三方登录的流程,或者我们写的一个网站后台处理登录的逻辑
- dex server: dex的服务端,一边作为client的服务端,另一边其实是github的客户端
- 用户在浏览器发起登录请求
- dexclient把请求重定向给dexserver
- dexserver重定向给github,这时用户就会跳转到github的页面去授权允许访问哪些信息
- github把对应信息加密调用dexserver的回调url(http://47.52.197.163:32000/callback)把信息传给dex server, 注意区分dex client的回调
- dexserver把信息回调给dex client(http://47.52.197.163:5555/callback)
- 浏览器中拿到token
- 把token加到kubeconfig文件中,让kubectl可以使用
- kubectl把token传给kubernetes server, server有 dex server的公钥可以解析token,拿到username, 看是否过期,看授权是否允许执行该动作
- 把执行结果返回给kubectl
环境介绍与注意事项
- 采用云服务器进行该实验,Floatingip是47.52.197.163
- 你需要有一个github账户,我的是github.com/fanux 把email(fhtjob@hotmail.com)作为kubernetes账户
- 服务器上要装golang
- 官方教程有很多坑,建议看我的教程
- 需要有个k8s集群,那么我最推荐的安装方式当然是购买我的安装包哈哈
安装
修改kube apiserver配置
[root@master2 ~]# cat /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --oidc-issuer-url=https://47.52.197.163:32000 # 加上这五个参数 - --oidc-client-id=example-app - --oidc-ca-file=/etc/kubernetes/ssl/ca.pem # dex证书,挂载进来的 - --oidc-username-claim=email - --oidc-groups-claim=groups ... - mountPath: /etc/kubernetes/ssl # 把dex的证书挂进去给apiserver使用 name: dex readOnly: true volumes: - hostPath: path: /etc/kubernetes/ssl type: DirectoryOrCreate name: dex
用kubeadm安装的修改/etc/kubernetes/manifests/kube-apiserver.yaml这个文件即可,建议不要直接修改,拷贝出来修改再复制回去,防止kubelet去拉swap文件导致controller manager异常
创建github app
点你github头像,settings->developer settins -> new oauth app
Application name: example-app
Homepage URL:https://47.52.197.163:32000
Authorization callback URL: https://47.52.197.163:32000/callback
URL千万别填错,注意是dex server的URL而不是dex client的5555
然后你就能看到一个ID一个secrect 后面需要用
部署dex
没装go的自己去装。。。
go get github.com/coreos/dex cd $GOPATH/src/github.com/coreos/dex
生成证书
gencert.sh需要改一下,把我们IP加进去
[alt_names] DNS.1 = dex.example.com IP.1 = 47.52.197.163 IP.2 = 172.31.244.238
$ cd examples/k8s $ ./gencert.sh $ cp examples/k8s/ssl /etc/kubernetes # 可曾记得我们挂载的目录
创建secrect,这个会给dex server用
$ kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
再创建一个secrect给dex server Github OAuth2 客户端用,dex server是github的一个客户端要理解
$ kubectl create secret \ generic github-client \ --from-literal=client-id=$GITHUB_CLIENT_ID \ # 这俩东西替换成在github页面上创建的APP clientid和secrect --from-literal=client-secret=$GITHUB_CLIENT_SECRET
启动dex.yaml,注意代码里直接clone下来的没有配置存储,而且镜像比较老,建议用我的:
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: dex name: dex spec: replicas: 1 template: metadata: labels: app: dex spec: containers: - image: quay.io/coreos/dex:v2.10.0 name: dex command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] ports: - name: https containerPort: 5556 volumeMounts: - name: config mountPath: /etc/dex/cfg - name: data mountPath: /etc/example - name: tls mountPath: /etc/dex/tls env: - name: GITHUB_CLIENT_ID valueFrom: secretKeyRef: name: github-client key: client-id - name: GITHUB_CLIENT_SECRET valueFrom: secretKeyRef: name: github-client key: client-secret volumes: - name: data hostPath: path: /data/example - name: config configMap: name: dex items: - key: config.yaml path: config.yaml - name: tls secret: secretName: dex.example.com.tls --- kind: ConfigMap apiVersion: v1 metadata: name: dex data: config.yaml: | issuer: https://47.52.197.163:32000 storage: type: sqlite3 config: file: /etc/example/dex.db web: https: 0.0.0.0:5556 tlsCert: /etc/dex/tls/tls.crt tlsKey: /etc/dex/tls/tls.key connectors: - type: github id: github name: GitHub config: clientID: $GITHUB_CLIENT_ID clientSecret: $GITHUB_CLIENT_SECRET redirectURI: https://47.52.197.163:32000/callback org: kubernetes oauth2: skipApprovalScreen: true staticClients: - id: example-app redirectURIs: - 'http://47.52.197.163:5555/callback' name: 'Example App' secret: ZXhhbXBsZS1hcHAtc2VjcmV0 enablePasswordDB: true staticPasswords: - email: "admin@example.com" # bcrypt hash of the string "password" hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" username: "admin" userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" --- apiVersion: v1 kind: Service metadata: name: dex spec: type: NodePort ports: - name: dex port: 5556 protocol: TCP targetPort: 5556 nodePort: 32000 selector: app: dex
主要修改了:
- 镜像
- 一些地址,改成自己的IP
- 存储,我改成了sqlite, 需要挂载一个文件进去,在宿主机上创建一个文件
$ touch /data/example/dex.db $ kubectl create -f dex.yaml
启动dex client
编译客户端dex目录下:
make
启动客户端:
$ ./bin/example-app --issuer https://47.52.197.163:32000 --issuer-root-ca examples/k8s/ssl/ca.pem --redirect-uri http://47.52.197.163:5555/callback
浏览器访问获取token
浏览器访问 http://47.52.197.163:5555 ,点击login后能看到 Log in to dex 下面可以选 log in with Email 和 log in with github
点击log in with github 授权后得到:
Token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImMyZWIzYzkwMmM0NDliMTYwMGNjNzNhMWYyNWVjMjI0MDY4NmE0OGMifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTI0MDIwNzA3LCJpYXQiOjE1MjM5MzQzMDcsImF0X2hhc2giOiI5czJob0lzUHRlMW9nc3VKemRab1pnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.uJAL08BZioSWPaEFh8R50JQVRw6QXgC1n3sn5ovzaoauy51YFjdSh08UZT8KQon8R5JdZ4U06BczwmOG_tT0mWVd_mDqLnRm6lGpm9znYiC1OLNGZOdzuQVsuxe4Lk1YOvxTsJQtpYuOcXXKkwmdfWNeh4VyZoALiVZxLfL44lSnU55JutLNnGD5S6Aiu6YF0xwlcX5Eq1j2pYtg4isnPtU4k6gbiEYCMPm0Gs3FPljnLT7a-TB1tjZLc4RDwBZ4OoiYRu5mAmH5SHHq1_TS9wDTXX16KlQTG9tS_I11n--1grYTz5WondBoM14BJebDdcSF7nRWJ-I8CU_UYu6gcA Claims: { "iss": "https://47.52.197.163:32000", "sub": "Cgc4OTEyNTU3EgZnaXRodWI", "aud": "example-app", "exp": 1524020707, "iat": 1523934307, "at_hash": "9s2hoIsPte1ogsuJzdZoZg", "email": "fhtjob@hotmail.com", "email_verified": true, "name": "steven" } Refresh Token: Chlrem12bDdmdGJ1dWNlYnk0b2llcWd0YzNqEhloNGhwbmlsZnByZ29mdWdsdWZ6bGp4cHhs
那么 恭喜你成功了, 这个token就是我们要的东西
验证tocken
curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods
你会发现
{ "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "pods is forbidden: User \"fhtjob@hotmail.com\" cannot list pods in the namespace \"default\"", "reason": "Forbidden", "details": { "kind": "pods" }, "code": 403 }
fhtjob@hotmail.com这个用户没有权限访问pods。我们给他创建一个角色绑定:
[root@master2 dex]# cat examples/k8s/role.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-secrets-global subjects: - kind: User name: "fhtjob@hotmail.com" # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin # 超级用户给他 apiGroup: rbac.authorization.k8s.io
$ kubectl create -f examples/k8s/role.yaml
再次curl:
ot@master2 dex]# curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods { "kind": "PodList", "apiVersion": "v1", "metadata": { "selfLink": "/api/v1/namespaces/default/pods", "resourceVersion": "333066" }, "items": [ { "metadata": { "name": "dex-578588c896-rsp9w", "generateName": "dex-578588c896-", "namespace": "default", "selfLink": "/api/v1/namespaces/default/pods/dex-578588c896-rsp9w",
成功
把tocken加入到证书中
最简单的方式:
[root@master2 dex]# cat ~/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1ETXlOekV6TURNMU9Gb1hEVEk0TURNeU5ERXpNRE0xT0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnl1CldVdWQxNEJjcFgvbU4xQ3dtUnZzRDJyVFF5aGdOQ3FDTGQ5M2VVVzRqbHJCQ0pCUGkzcE9mOXNTVFJELzV3V0YKUUpzOTE5eVZuRmdOOXBHVVRHbjVieHVtNzgrS3lvY20xTnJ3Z1kxUUpnWlZxVUZhQ1I5VDJ1RThBM1lyKzdITAovS3FHMEZ3S05UV0w3Zy85VFAzdmpQMW5XR3NTTElmVHAxMjNaK0lxZHJaQlI0NUZDQzBOQzU4cmxEYUErVFdOCjRVQ2xJalBKRHJuV2M1Z2E4a3NVYXN4UkQ5clR2dm5iOG05V2NEYnhXdEViTlJyS0R6cUp5K00wT1BacDdIY1QKWkhHUnlXTVR3WVhRVGlmWFhxVTY1U2VkdEdjT3ZsOHl0ck1UZndCRkh2Y1NWQW9sNytYUnNicSs4bDRKc0M5OApPN0tOODAxT0dvaUFyWWNFYjRjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLcFpoN0t5ZzRLM0dyK0NZRzdwbVlXUGR1eFUKMXcrY1BPZ053OE83MHNFWE5lbnFMbEZVdThtYjMxQTZ4RHZKWHZ4OXNiQ0o5YzdDeDFiaVNNYnFrWlBHRGs4UgpZSm5wZlB4WXBUWlBISmFkK1ZCb2tVY0J3QlluTTB1SXFzZGhvbHhPelVBUU9UbVo5M3UzSi9MeUNob3IwSmlJCm1uQ1hlaHlDaTZ1YTVvTldXNmVNWnlaRWxzRnpXcnlGdHkyNGRKVWkvQkd0SjR2ZStlRmtLTE9VTXpnMjBBU3YKZU1ldkdUL1FibWd1YXZhT1RCdjVDYW05RElSNEZSd2YvV2hwdHpMTVdCVFJXb2ROOUhkcE1tRDhxUmU1YnVWNgpiZ245VFgzejBncUhGMzFQZlBjcTJWRFRJWnJZK084MTBwOTQrbTA5YmxrcTQzSDdXQmhGTmdvditzUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://172.31.244.238:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTY3NDQzLCJpYXQiOjE1MjM4ODEwNDMsImF0X2hhc2giOiJMUzNKUVpiWDVuVnBuam5zSU5nNGZnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.KjKSkqqX1I21rkqF4t39x8YmEFx2yPlQSMFInVeAp4lCRACljMvTY07GSWycEez0SarPtO80dTqcM4buz7WMVPMRuSqg-HuCPB3DjzD4M84OiHZSFB_5xOJIUqP0dWLAuPTalu2T-le4Gp0gPXc863YfLEMzRm8cxbvdASwQrTZ5oKgoRVznDREW3NIgEONUU9A64bBeWi5xH1eyCbvh4l3Q-ZfkYG4A4w46FwAmfL4ClxCBiIkpZWhKv5GcN8bg7-msaNlvlejpvbSuVWpt5CLJzpCXHh1AqCUBkXzp8ObSGGIw1BfkVFnyH26bpho2kAzxbGtdwNx4TdGlu_XYlw
注意把user那的client-certificate-data client-key-data 删掉,加上token, 我这直接在/etc/kubernetes/admin.conf上修改的,也可以重新生成配置文件:
kubectl config set-credentials fanux \ --client-certificate=/etc/kubernetes/pki/ca.crt \ --client-key=/etc/kubernetes/pki/ca.key \ --token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g \ --embed-certs=true \ --kubeconfig=fanux.config kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=fanux \ --namespace=default \ --kubeconfig=fanux.config kubectl config use-context kubernetes --kubeconfig=fanux.config kubectl config set-cluster kubernetes --server=https://172.31.244.238:6443 --certificate-authority=/etc/kubernetes/pki/ca.key --kubeconfig=fanux.config
验证:
$ kubectl get pod #正常
删除角色绑定再执行get pod
[root@master2 dex]# kubectl delete -f examples/k8s/role.yaml clusterrolebinding.rbac.authorization.k8s.io "read-secrets-global" deleted [root@master2 dex]# kubectl get pod Error from server (Forbidden): pods is forbidden: User "fhtjob@hotmail.com" cannot list pods in the namespace "default"
已经无权限了。
至于给用户分配更细的权限,比较简单,读者门自己倒持去吧
本文转自SegmentFault-kubernetes认证,对接第三方认证系统,对接github认证
低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
- 上一篇
kubernetes1.8与1.9.2安装指南,离线安装,内网安装, 使用外部etcd集群,coredns替换方法
使用kubeadm部署k8s集群 三步装集群:离线包地址1.8.1 离线安装包1.9.2 注意1.9.2安装方式见商品页面,与1.8.1有点差别,做一些配置 和脚本的优化 基础环境 关闭swap swapoff -a 再把/etc/fstab文件中带有swap的行删了,没有就无视 装这两工具如果没装的话 yum install -y ebtables socat IPv4 iptables 链设置 CNI插件需要 sysctl net.bridge.bridge-nf-call-iptables=1 墙外安装 在国内是很难使用这种方式安装了,推荐查看离线安装的方案 装docker yum install -y docker systemctl enable docker && systemctl start docker 装kubeadm kubectl kubelet cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://pa...
- 下一篇
kubernetes1.9安装dashboard,以及token认证问题
写在前面 dashboard的安装非常简单。但按照官网建议的方式安装完成后,输入token登录时会没有反应。 这个问题困扰了我一整天,最终在这里找到了答案。 原因如下: 按官方文档建议的方式安装完dashboard后,使用kubectl proxy代理的方式来 访问webUI。使用这个代理的方式访问就会导致登录无响应的问题。我们需要将dashboard的service类型改为NodePort,将端口映射到虚拟机上,然后直接通过虚拟机的ip地址登录 安装dashboard 首先下载官网提供的dashboard.yaml wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml 修改yaml,添加NodePort. kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard...
相关文章
文章评论
共有0条评论来说两句吧...
文章二维码
点击排行
推荐阅读
最新文章
- CentOS8,CentOS7,CentOS6编译安装Redis5.0.7
- SpringBoot2整合Redis,开启缓存,提高访问速度
- CentOS7,8上快速安装Gitea,搭建Git服务器
- Docker使用Oracle官方镜像安装(12C,18C,19C)
- CentOS关闭SELinux安全模块
- SpringBoot2初体验,简单认识spring boot2并且搭建基础工程
- MySQL8.0.19开启GTID主从同步CentOS8
- Hadoop3单机部署,实现最简伪集群
- 设置Eclipse缩进为4个空格,增强代码规范
- CentOS7,CentOS8安装Elasticsearch6.8.6