共计 9097 个字符,预计需要花费 23 分钟才能阅读完成。
部署好 K8S dashboard 之后,首次登录,通常会在右上角告诉面板中呈现很多告警:
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "configmaps" in API group ""in the namespace"default"persistentvolumeclaims is forbidden: User"system:serviceaccount:kube-system:kubernetes-dashboard"cannot list resource"persistentvolumeclaims"in API group"" in the namespace "default"
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "secrets" in API group ""in the namespace"default"services is forbidden: User"system:serviceaccount:kube-system:kubernetes-dashboard"cannot list resource"services"in API group"" in the namespace "default"
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "ingresses" in API group "extensions" in the namespace "default"
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "daemonsets" in API group "apps" in the namespace "default"
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "pods" in API group ""in the namespace"default"events is forbidden: User"system:serviceaccount:kube-system:kubernetes-dashboard"cannot list resource"events"in API group"" in the namespace "default"
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default"
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicasets" in API group "apps" in the namespace "default"
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "jobs" in API group "batch" in the namespace "default"
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "cronjobs" in API group "batch" in the namespace "default"
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicationcontrollers" in API group ""in the namespace"default"statefulsets.apps is forbidden: User"system:serviceaccount:kube-system:kubernetes-dashboard"cannot list resource"statefulsets"in API group"apps"in the namespace"default"
这是 rbac 权限问题。
此时 dashboard 还不能失常应用,dashboard 是空的,比方命名空间。此时还不能获取到集群的信息:
解决办法:
先创立一个账号,再创立一个有全副权限的 clusterroles,将二者用 clusterrolebinding 绑定起来。
装置 yaml 文件时,已创立了一个名为 kubernetes-dashboard 的服务账户(serviceaccount),查看其详情:
[root@k8s-master k8s-install]# kubectl describe serviceaccount/kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-token-csmm7
Tokens: kubernetes-dashboard-token-csmm7
Events: <none>而 kubernetes 集群装置好后,会主动生成一些 clusterroles 集群权限对象,能够用上面的命令查看:
[root@k8s-master k8s-install]# kubectl get clusterroles
NAME CREATED AT
admin 2022-02-18T07:35:48Z
cluster-admin 2022-02-18T07:35:48Z
edit 2022-02-18T07:35:48Z
flannel 2022-02-18T08:54:43Z
kubeadm:get-nodes 2022-02-18T07:35:50Z
kubernetes-dashboard 2022-06-07T05:37:31Z
system:aggregate-to-admin 2022-02-18T07:35:48Z
system:aggregate-to-edit 2022-02-18T07:35:48Z
system:aggregate-to-view 2022-02-18T07:35:48Z
system:auth-delegator 2022-02-18T07:35:48Z
system:basic-user 2022-02-18T07:35:48Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-02-18T07:35:48Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-02-18T07:35:48Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:kubelet-serving-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:legacy-unknown-approver 2022-02-18T07:35:48Z
system:controller:attachdetach-controller 2022-02-18T07:35:48Z
system:controller:certificate-controller 2022-02-18T07:35:48Z
system:controller:clusterrole-aggregation-controller 2022-02-18T07:35:48Z
system:controller:cronjob-controller 2022-02-18T07:35:48Z
system:controller:daemon-set-controller 2022-02-18T07:35:48Z
system:controller:deployment-controller 2022-02-18T07:35:48Z
system:controller:disruption-controller 2022-02-18T07:35:48Z
system:controller:endpoint-controller 2022-02-18T07:35:48Z
system:controller:endpointslice-controller 2022-02-18T07:35:48Z
system:controller:endpointslicemirroring-controller 2022-02-18T07:35:48Z
system:controller:ephemeral-volume-controller 2022-02-18T07:35:48Z
system:controller:expand-controller 2022-02-18T07:35:48Z
system:controller:generic-garbage-collector 2022-02-18T07:35:48Z
system:controller:horizontal-pod-autoscaler 2022-02-18T07:35:48Z
system:controller:job-controller 2022-02-18T07:35:48Z
system:controller:namespace-controller 2022-02-18T07:35:48Z
system:controller:node-controller 2022-02-18T07:35:48Z
system:controller:persistent-volume-binder 2022-02-18T07:35:48Z
system:controller:pod-garbage-collector 2022-02-18T07:35:48Z
system:controller:pv-protection-controller 2022-02-18T07:35:48Z
system:controller:pvc-protection-controller 2022-02-18T07:35:48Z
system:controller:replicaset-controller 2022-02-18T07:35:48Z
system:controller:replication-controller 2022-02-18T07:35:48Z
system:controller:resourcequota-controller 2022-02-18T07:35:48Z
system:controller:root-ca-cert-publisher 2022-02-18T07:35:48Z
system:controller:route-controller 2022-02-18T07:35:48Z
system:controller:service-account-controller 2022-02-18T07:35:48Z
system:controller:service-controller 2022-02-18T07:35:48Z
system:controller:statefulset-controller 2022-02-18T07:35:48Z
system:controller:ttl-after-finished-controller 2022-02-18T07:35:48Z
system:controller:ttl-controller 2022-02-18T07:35:48Z
system:coredns 2022-02-18T07:35:50Z
system:discovery 2022-02-18T07:35:48Z
system:heapster 2022-02-18T07:35:48Z
system:kube-aggregator 2022-02-18T07:35:48Z
system:kube-controller-manager 2022-02-18T07:35:48Z
system:kube-dns 2022-02-18T07:35:48Z
system:kube-scheduler 2022-02-18T07:35:48Z
system:kubelet-api-admin 2022-02-18T07:35:48Z
system:monitoring 2022-02-18T07:35:48Z
system:node 2022-02-18T07:35:48Z
system:node-bootstrapper 2022-02-18T07:35:48Z
system:node-problem-detector 2022-02-18T07:35:48Z
system:node-proxier 2022-02-18T07:35:48Z
system:persistent-volume-provisioner 2022-02-18T07:35:48Z
system:public-info-viewer 2022-02-18T07:35:48Z
system:service-account-issuer-discovery 2022-02-18T07:35:48Z
system:volume-scheduler 2022-02-18T07:35:48Z
view 2022-02-18T07:35:48Z具体地看一下集群管理员 cluster-admin,* 号示意对所有资源有所有权限:
[root@k8s-master k8s-install]# kubectl describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]将服务账户 kubernetes-dashboard 跟 cluster-admin 这个集群管理员权限对象绑定起来:
[root@k8s-master k8s-install]# cat kubernetes-dashboard-ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system执行:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created 留神:
不要弄错 apiVersion,否则会报错如下:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yaml
error: unable to recognize "kubernetes-dashboard-ClusterRoleBinding.yaml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
查看是否创立胜利:
[root@k8s-master k8s-install]# kubectl get clusterrolebindings kubernetes-dashboard
NAME ROLE AGE
kubernetes-dashboard ClusterRole/cluster-admin 33s
获取 token 再次登录:
[root@k8s-master k8s-install]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token | awk '{print $1}')
Name: kubernetes-dashboard-token-csmm7
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: cdfe26a2-286c-45de-80f5-f20647d07dfd
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlRtcmtMa01qeHVrOTV0VmhJLWUyOVZUTDV1aDhJWmx2X1RSZVFRSnFySzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1jc21tNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkZmUyNmEyLTI4NmMtNDVkZS04MGY1LWYyMDY0N2QwN2RmZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.ZvT_rLcs7B9Ja2fhDQcqo5Rcds2BPvf8Gbtb_dcmNmD36pHn6i3WPACoD1sgzfs3smFM2KsHCwmagBCqL-3941xXUv_FcHrMhGPkUyfWqn55U3-N9oxHns-vkDsPm0_0P8QlqzjRCIzed9fnatQMfeoenO6e7OZetakGQsTedJUv3QybUOGEqVlTPImTQzDlP21Yh_6CsoIstAXkwgSdGlogqCUk8FdNk1p8pukYglvZ3tR2ieXIERrROHjVi-g3c6mygf5Dc_cWaPSkKxPmMZx_DX4d366MP40P5KnNpCkbcgp-dIFDa8At7-TQzYn8eFPfAEdWZzSrQkdUYqx5Vg 此时发现告诉面板中不再呈现新的告警,并且 dashboard 曾经获取到集群信息,比方命名空间、Nodes 等等:
正文完