2019独角兽企业重金招聘Python工程师标准>>> 
1 部署 dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
2 修改dashborad以nodeport方式访问
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
3 创建属于dashboard的 serviceaccount
kubectl create serviceaccount dashboard-admin -n kube-system查看serviceaccount
kubectl get serviceaccount -n kube-system | grep dashboard-admin
4 创建clusterrolebinding
创建clusterrolebinding 绑定clusterrole 使用serviceaccount认证
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin我们使用clusterrolebinding 绑定了clusterrole基本上拥有了跟个集群资源的所有权限,如果细化授权需要使用rolebinding绑定clusterrole指定命名空间即可
5 查看生成的token
查看生成的token
# kubectl get secret -n kube-system | grep dashboard-admin*
dashboard-admin-token-97wz7 kubernetes.io/service-account-token 3 19h
6 查看令牌
kubectl describe secret dashboard-admin-token-97wz7 -n kube-system
Name: dashboard-admin-token-97wz7
Namespace: kube-system
Labels:
Annotations: kubernetes.io/service-account.name: dashboard-adminkubernetes.io/service-account.uid: 7e681606-684b-11e9-b76a-000c29980aeeType: kubernetes.io/service-account-tokenData
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9yZC1hZG1pbi10b2tlbi05N3d6NyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkYXNoYm9yZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdlNjgxNjA2LTY4NGItMTFlOS1iNzZhLTAwMGMyOTk4MGFlZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpkYXNoYm9yZC1hZG1pbiJ9.b67GEYZEK_KZC9decv6KeXGhp9PFCrew9xQTWQ_HkGaerjlEkSX2JE3OVRpPGF84hcbYgfBjvCrAIVNmJmjprMIZCsLeCx3-EXJ93zka4tv1huFaywWDsi4wF3TF9tfYfculHSRuZyAKFenN4UiLPVGK954zUZpM_Rpq3SBpiaw8-HM2CRz0ws8ELpRk5UGRRCAboRB_2hkHbtv36p6qyYbrdSG7gjj-xdw_ncAq6H-Vvdx2j3A6q7cgt9erYvGXwnPdfXePcxPr7BfVwFxm4w2tkb4k-fNxWfQYe6wiJiV907tMpwooX_nx_WQ-dIGtiDEDVJU0sOP85Fy1XI4yxw
6 查看nodeport端口
kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10
kubernetes-dashboard NodePort 10.98.179.47
7 使用令牌登录dashboard
https://10.10.25.150:31559
8 如果只给default命名空间的权限呢?
1) 创建一个default的serviceaccount
kubectl create serviceaccount default-admin
2)使用rolebinding绑定clusterrole
kubectl create rolebinding default-admin --clusterrole=admin --serviceaccount=default:default-admin
3)获取secret
kubectl get secret | grep default-admin*
NAME TYPE DATA AGE
default-admin-token-476jp kubernetes.io/service-account-token 3 3m2s
4)查看token值
kubectl describe secret default-admin-token-476jpName: default-admin-token-476jp
Namespace: default
Labels:
Annotations: kubernetes.io/service-account.name: default-adminkubernetes.io/service-account.uid: 609fe45a-68da-11e9-b76a-000c29980aeeType: kubernetes.io/service-account-tokenData
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtYWRtaW4tdG9rZW4tNDc2anAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjYwOWZlNDVhLTY4ZGEtMTFlOS1iNzZhLTAwMGMyOTk4MGFlZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQtYWRtaW4ifQ.D-0fw1cqEsp1xu98hBMv9fNyuF_lu2BGMWEUhvcEiC55po55Kml0p8D92tCe88RMeuh8no_a-WN2hX44DWibMUioxUFIEtiSVztGBlhDMWEQkFjQDkLtRX5_AefYXkVTk6vS-3KyUCieExPtmNKH87oScIOKmVmulK0qT3gZ1mNsuiwPo_w6muZ4n90PUT1oK-QhH7gms1J5kwU5y0TYVzcqTcck9OSVMcD5CQ3QhfrK_gU_vEYk7P1G5oqaYYKMZMlxg3aH-Q15mfMzyvLDTnNepGIJHXlZv7IZDScmAJgfbT3w5var86LimNXQ92cMemBmbRAywSMm8Gimizd6Jg
5)使用token登录即可
京公网安备 11010802041100号