代码之家  ›  专栏  ›  技术社区  ›  ufk

使用谷歌云平台登录kubernetes仪表板时使用哪个令牌

kubernetes-dashboard kubectl gcp kubernetes
  •  4
  • ufk  · 技术社区  · 6 年前

    我正在使用谷歌云平台和Kubernetes。

    我正在尝试找出我应该使用哪个令牌才能登录到仪表板,并拥有足够的权限来执行我的操作。

    我在Google云平台上创建了一个3节点的Kubernetes 1.8.6集群

    my developer desktop是macos high sierra 10.13.2上的Mac Pro(2013年末),安装了google cloud sdk和kubernetes cli,由homebrew提供。 

    ~ ❯❯❯ kubectl version                                                                                                         ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}


    ~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28

    我在文档中读到,为仪表板创建管理员用户是不安全的,不幸的是,仪表板pod的所有权限都让我有点困惑。

    当我执行 kubectl get secrets -n kube-system 并用 kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

    然后使用我用命令启动的kubectl web代理登录 kubectl proxy ,当我尝试查看仪表板web界面中的任何页面时,会出现许多权限错误。我可能没有使用正确的标记。。或者我需要创建一个新令牌。

    有没有一种方法可以查看令牌的权限,这样我就可以在登录之前知道我实际使用的是什么?

    使现代化

    所以我运行kubectl来获取kube系统名称空间中的所有秘密令牌: 

    ~ ❯❯❯ kubectl get secrets -n kube-system
NAME                                     TYPE                                  DATA      AGE
attachdetach-controller-token-4pp92      kubernetes.io/service-account-token   3         10m
certificate-controller-token-bqnjp       kubernetes.io/service-account-token   3         10m
cloud-provider-token-ltbnh               kubernetes.io/service-account-token   3         10m
cronjob-controller-token-84cl9           kubernetes.io/service-account-token   3         10m
daemon-set-controller-token-ncz5r        kubernetes.io/service-account-token   3         10m
default-token-fpmht                      kubernetes.io/service-account-token   3         10m
deployment-controller-token-4xc8k        kubernetes.io/service-account-token   3         10m
disruption-controller-token-9gdqg        kubernetes.io/service-account-token   3         10m
endpoint-controller-token-gr29m          kubernetes.io/service-account-token   3         10m
event-exporter-sa-token-6klz5            kubernetes.io/service-account-token   3         10m
fluentd-gcp-token-s2kk4                  kubernetes.io/service-account-token   3         10m
generic-garbage-collector-token-tqbqz    kubernetes.io/service-account-token   3         10m
heapster-token-7pgmr                     kubernetes.io/service-account-token   3         10m
horizontal-pod-autoscaler-token-74v57    kubernetes.io/service-account-token   3         10m
job-controller-token-2skhj               kubernetes.io/service-account-token   3         10m
kube-dns-autoscaler-token-wc9gz          kubernetes.io/service-account-token   3         10m
kube-dns-token-nx2tf                     kubernetes.io/service-account-token   3         10m
kubernetes-dashboard-certs               Opaque                                0         10m
kubernetes-dashboard-key-holder          Opaque                                2         9m
kubernetes-dashboard-token-zxp7n         kubernetes.io/service-account-token   3         10m
namespace-controller-token-tz54r         kubernetes.io/service-account-token   3         10m
node-controller-token-m2w7k              kubernetes.io/service-account-token   3         10m
persistent-volume-binder-token-6sfkt     kubernetes.io/service-account-token   3         10m
pod-garbage-collector-token-zqxhd        kubernetes.io/service-account-token   3         10m
replicaset-controller-token-8n6b7        kubernetes.io/service-account-token   3         10m
replication-controller-token-nb2tw       kubernetes.io/service-account-token   3         10m
resourcequota-controller-token-blhfg     kubernetes.io/service-account-token   3         10m
route-controller-token-c5ns6             kubernetes.io/service-account-token   3         10m
service-account-controller-token-zptxc   kubernetes.io/service-account-token   3         10m
service-controller-token-75hht           kubernetes.io/service-account-token   3         10m
statefulset-controller-token-fhpk8       kubernetes.io/service-account-token   3         10m
ttl-controller-token-5vwln               kubernetes.io/service-account-token   3         10m

    然后我执行了 

    kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

    并使用该令牌登录。

    登录后,我收到以下消息: 

    warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"

    知道为什么吗?

    5 回复  |  直到 4 年前
        1
  •  16
  •   Minos Pong    6 年前

    将群集连接到 gcloud容器群集获取凭据 . 使用以下命令获取当前上下文的访问令牌 

    kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '$1=="access-token:"{print $2}'
        2
  •  5
  •   eastlondoner    6 年前

    gcloud 不会将凭据放入kubeconfig,而是将其保存在自己的文件中。

    使用GKE,您可以为您的GCloud帐户获得代币,这比从服务帐户中重新使用代币要好得多。

    假设你有 jq 安装后,您可以获得如下个人访问令牌: 

    gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token
        3
  •  4
  •   Marian Saeger    6 年前

    我也遇到了同样的问题-在我的案例中,解决方案是从 kubectl config view : 

    [...]
users:
- name: <YOUR CLUSTER NAME>
  user:
    auth-provider:
      config:
        access-token: <YOUR ACCESS TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
        expiry: 2018-02-12T13:36:51Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
[...]
        4
  •  4
  •   Borek Bernard    6 年前

    更可靠的替代方案 this answer 正在使用jsonpath: 

    kubectl config view -o jsonpath="{.users[?(@.name == \"$(kubectl config current-context)\")].user.auth-provider.config.access-token}"
        5
  •  0
  •   Arslanbekov Denis    6 年前

    中的所有机密 kube-system 命名空间具有完全访问权限。 你可以创造新的秘密,需要授权 this 通道

    推荐文章
    ufk  ·  使用谷歌云平台登录kubernetes仪表板时使用哪个令牌
    6 年前
    djt  ·  如何导入在另一台服务器上创建的状态?
    6 年前
    Greg Charles  ·  kubectl ls——或者其他观察吊舱的方式
    6 年前
    mon  ·  Kubectl代理显示由未知权限签名的证书
    6 年前
    gcstr  ·  库伯内特斯的吊舱日志文件在哪里?
    6 年前
    Arora20  ·  Kubernetes for mysql和tomcat之间的服务间通信
    6 年前
    Hugo Marcelo Del Negro  ·  元数据。终结器[0]:无效值:“ForegroundDelete”:名称既不是标准终结器名称,也不是完全限定的名称
    6 年前
    Bluz  ·  与kubectl一起查找新pod的名称
    6 年前
    Suresh Vishnoi  ·  kubectl应用与kubectl创建?
    6 年前
    online  ·  无法在Kubernetes中为Nginx创建ReplicationController
    6 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号