我正在使用谷歌云平台和Kubernetes。
我正在尝试找出我应该使用哪个令牌才能登录到仪表板,并拥有足够的权限来执行我的操作。
我在Google云平台上创建了一个3节点的Kubernetes 1.8.6集群
my developer desktop是macos high sierra 10.13.2上的Mac Pro(2013年末),安装了google cloud sdk和kubernetes cli,由homebrew提供。
~ â¯â¯â¯ kubectl version â 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}
和
~ â¯â¯â¯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28
我在文档中读到,为仪表板创建管理员用户是不安全的,不幸的是,仪表板pod的所有权限都让我有点困惑。
当我执行
kubectl get secrets -n kube-system
并用
kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
然后使用我用命令启动的kubectl web代理登录
kubectl proxy
,当我尝试查看仪表板web界面中的任何页面时,会出现许多权限错误。我可能没有使用正确的标记。。或者我需要创建一个新令牌。
有没有一种方法可以查看令牌的权限,这样我就可以在登录之前知道我实际使用的是什么?
使现代化
所以我运行kubectl来获取kube系统名称空间中的所有秘密令牌:
~ â¯â¯â¯ kubectl get secrets -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-4pp92 kubernetes.io/service-account-token 3 10m
certificate-controller-token-bqnjp kubernetes.io/service-account-token 3 10m
cloud-provider-token-ltbnh kubernetes.io/service-account-token 3 10m
cronjob-controller-token-84cl9 kubernetes.io/service-account-token 3 10m
daemon-set-controller-token-ncz5r kubernetes.io/service-account-token 3 10m
default-token-fpmht kubernetes.io/service-account-token 3 10m
deployment-controller-token-4xc8k kubernetes.io/service-account-token 3 10m
disruption-controller-token-9gdqg kubernetes.io/service-account-token 3 10m
endpoint-controller-token-gr29m kubernetes.io/service-account-token 3 10m
event-exporter-sa-token-6klz5 kubernetes.io/service-account-token 3 10m
fluentd-gcp-token-s2kk4 kubernetes.io/service-account-token 3 10m
generic-garbage-collector-token-tqbqz kubernetes.io/service-account-token 3 10m
heapster-token-7pgmr kubernetes.io/service-account-token 3 10m
horizontal-pod-autoscaler-token-74v57 kubernetes.io/service-account-token 3 10m
job-controller-token-2skhj kubernetes.io/service-account-token 3 10m
kube-dns-autoscaler-token-wc9gz kubernetes.io/service-account-token 3 10m
kube-dns-token-nx2tf kubernetes.io/service-account-token 3 10m
kubernetes-dashboard-certs Opaque 0 10m
kubernetes-dashboard-key-holder Opaque 2 9m
kubernetes-dashboard-token-zxp7n kubernetes.io/service-account-token 3 10m
namespace-controller-token-tz54r kubernetes.io/service-account-token 3 10m
node-controller-token-m2w7k kubernetes.io/service-account-token 3 10m
persistent-volume-binder-token-6sfkt kubernetes.io/service-account-token 3 10m
pod-garbage-collector-token-zqxhd kubernetes.io/service-account-token 3 10m
replicaset-controller-token-8n6b7 kubernetes.io/service-account-token 3 10m
replication-controller-token-nb2tw kubernetes.io/service-account-token 3 10m
resourcequota-controller-token-blhfg kubernetes.io/service-account-token 3 10m
route-controller-token-c5ns6 kubernetes.io/service-account-token 3 10m
service-account-controller-token-zptxc kubernetes.io/service-account-token 3 10m
service-controller-token-75hht kubernetes.io/service-account-token 3 10m
statefulset-controller-token-fhpk8 kubernetes.io/service-account-token 3 10m
ttl-controller-token-5vwln kubernetes.io/service-account-token 3 10m
然后我执行了
kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
并使用该令牌登录。
登录后,我收到以下消息:
warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
知道为什么吗?