部署好 K8S dashboard 之后,首次登录,通常会在右上角告诉面板中呈现很多告警:
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "configmaps" in API group "" in the namespace "default" persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default" secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "secrets" in API group "" in the namespace "default" services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "services" in API group "" in the namespace "default" ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "ingresses" in API group "extensions" in the namespace "default" daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "daemonsets" in API group "apps" in the namespace "default" pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "pods" in API group "" in the namespace "default" events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "events" in API group "" in the namespace "default" deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default" replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicasets" in API group "apps" in the namespace "default" jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "jobs" in API group "batch" in the namespace "default" cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "cronjobs" in API group "batch" in the namespace "default" replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicationcontrollers" in API group "" in the namespace "default" statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "statefulsets" in API group "apps" in the namespace "default"这是 rbac 权限问题。
此时 dashboard 还不能失常应用,dashboard 是空的,比方命名空间。此时还不能获取到集群的信息:
解决办法:
先创立一个账号,再创立一个有全副权限的 clusterroles,将二者用 clusterrolebinding 绑定起来。
装置 yaml 文件时,已创立了一个名为 kubernetes-dashboard 的服务账户(serviceaccount),查看其详情:
[root@k8s-master k8s-install]# kubectl describe serviceaccount/kubernetes-dashboard -n kube-systemName: kubernetes-dashboardNamespace: kube-systemLabels: k8s-app=kubernetes-dashboardAnnotations: <none>Image pull secrets: <none>Mountable secrets: kubernetes-dashboard-token-csmm7Tokens: kubernetes-dashboard-token-csmm7Events: <none>而 kubernetes 集群装置好后,会主动生成一些 clusterroles 集群权限对象,能够用上面的命令查看:
[root@k8s-master k8s-install]# kubectl get clusterrolesNAME CREATED ATadmin 2022-02-18T07:35:48Zcluster-admin 2022-02-18T07:35:48Zedit 2022-02-18T07:35:48Zflannel 2022-02-18T08:54:43Zkubeadm:get-nodes 2022-02-18T07:35:50Zkubernetes-dashboard 2022-06-07T05:37:31Zsystem:aggregate-to-admin 2022-02-18T07:35:48Zsystem:aggregate-to-edit 2022-02-18T07:35:48Zsystem:aggregate-to-view 2022-02-18T07:35:48Zsystem:auth-delegator 2022-02-18T07:35:48Zsystem:basic-user 2022-02-18T07:35:48Zsystem:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-02-18T07:35:48Zsystem:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-02-18T07:35:48Zsystem:certificates.k8s.io:kube-apiserver-client-approver 2022-02-18T07:35:48Zsystem:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-02-18T07:35:48Zsystem:certificates.k8s.io:kubelet-serving-approver 2022-02-18T07:35:48Zsystem:certificates.k8s.io:legacy-unknown-approver 2022-02-18T07:35:48Zsystem:controller:attachdetach-controller 2022-02-18T07:35:48Zsystem:controller:certificate-controller 2022-02-18T07:35:48Zsystem:controller:clusterrole-aggregation-controller 2022-02-18T07:35:48Zsystem:controller:cronjob-controller 2022-02-18T07:35:48Zsystem:controller:daemon-set-controller 2022-02-18T07:35:48Zsystem:controller:deployment-controller 2022-02-18T07:35:48Zsystem:controller:disruption-controller 2022-02-18T07:35:48Zsystem:controller:endpoint-controller 2022-02-18T07:35:48Zsystem:controller:endpointslice-controller 2022-02-18T07:35:48Zsystem:controller:endpointslicemirroring-controller 2022-02-18T07:35:48Zsystem:controller:ephemeral-volume-controller 2022-02-18T07:35:48Zsystem:controller:expand-controller 2022-02-18T07:35:48Zsystem:controller:generic-garbage-collector 2022-02-18T07:35:48Zsystem:controller:horizontal-pod-autoscaler 2022-02-18T07:35:48Zsystem:controller:job-controller 2022-02-18T07:35:48Zsystem:controller:namespace-controller 2022-02-18T07:35:48Zsystem:controller:node-controller 2022-02-18T07:35:48Zsystem:controller:persistent-volume-binder 2022-02-18T07:35:48Zsystem:controller:pod-garbage-collector 2022-02-18T07:35:48Zsystem:controller:pv-protection-controller 2022-02-18T07:35:48Zsystem:controller:pvc-protection-controller 2022-02-18T07:35:48Zsystem:controller:replicaset-controller 2022-02-18T07:35:48Zsystem:controller:replication-controller 2022-02-18T07:35:48Zsystem:controller:resourcequota-controller 2022-02-18T07:35:48Zsystem:controller:root-ca-cert-publisher 2022-02-18T07:35:48Zsystem:controller:route-controller 2022-02-18T07:35:48Zsystem:controller:service-account-controller 2022-02-18T07:35:48Zsystem:controller:service-controller 2022-02-18T07:35:48Zsystem:controller:statefulset-controller 2022-02-18T07:35:48Zsystem:controller:ttl-after-finished-controller 2022-02-18T07:35:48Zsystem:controller:ttl-controller 2022-02-18T07:35:48Zsystem:coredns 2022-02-18T07:35:50Zsystem:discovery 2022-02-18T07:35:48Zsystem:heapster 2022-02-18T07:35:48Zsystem:kube-aggregator 2022-02-18T07:35:48Zsystem:kube-controller-manager 2022-02-18T07:35:48Zsystem:kube-dns 2022-02-18T07:35:48Zsystem:kube-scheduler 2022-02-18T07:35:48Zsystem:kubelet-api-admin 2022-02-18T07:35:48Zsystem:monitoring 2022-02-18T07:35:48Zsystem:node 2022-02-18T07:35:48Zsystem:node-bootstrapper 2022-02-18T07:35:48Zsystem:node-problem-detector 2022-02-18T07:35:48Zsystem:node-proxier 2022-02-18T07:35:48Zsystem:persistent-volume-provisioner 2022-02-18T07:35:48Zsystem:public-info-viewer 2022-02-18T07:35:48Zsystem:service-account-issuer-discovery 2022-02-18T07:35:48Zsystem:volume-scheduler 2022-02-18T07:35:48Zview 2022-02-18T07:35:48Z具体地看一下集群管理员 cluster-admin ,*号示意对所有资源有所有权限:
[root@k8s-master k8s-install]# kubectl describe clusterroles cluster-adminName: cluster-adminLabels: kubernetes.io/bootstrapping=rbac-defaultsAnnotations: rbac.authorization.kubernetes.io/autoupdate: truePolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]将服务账户 kubernetes-dashboard 跟 cluster-admin 这个集群管理员权限对象绑定起来:
[root@k8s-master k8s-install]# cat kubernetes-dashboard-ClusterRoleBinding.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboardroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects:- kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system执行:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yamlclusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created留神:
不要弄错 apiVersion,否则会报错如下:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yamlerror: unable to recognize "kubernetes-dashboard-ClusterRoleBinding.yaml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"查看是否创立胜利:
[root@k8s-master k8s-install]# kubectl get clusterrolebindings kubernetes-dashboardNAME ROLE AGEkubernetes-dashboard ClusterRole/cluster-admin 33s获取 token 再次登录:
[root@k8s-master k8s-install]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token | awk '{print $1}')Name: kubernetes-dashboard-token-csmm7Namespace: kube-systemLabels: <none>Annotations: kubernetes.io/service-account.name: kubernetes-dashboard kubernetes.io/service-account.uid: cdfe26a2-286c-45de-80f5-f20647d07dfdType: kubernetes.io/service-account-tokenData====ca.crt: 1099 bytesnamespace: 11 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IlRtcmtMa01qeHVrOTV0VmhJLWUyOVZUTDV1aDhJWmx2X1RSZVFRSnFySzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1jc21tNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkZmUyNmEyLTI4NmMtNDVkZS04MGY1LWYyMDY0N2QwN2RmZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.ZvT_rLcs7B9Ja2fhDQcqo5Rcds2BPvf8Gbtb_dcmNmD36pHn6i3WPACoD1sgzfs3smFM2KsHCwmagBCqL-3941xXUv_FcHrMhGPkUyfWqn55U3-N9oxHns-vkDsPm0_0P8QlqzjRCIzed9fnatQMfeoenO6e7OZetakGQsTedJUv3QybUOGEqVlTPImTQzDlP21Yh_6CsoIstAXkwgSdGlogqCUk8FdNk1p8pukYglvZ3tR2ieXIERrROHjVi-g3c6mygf5Dc_cWaPSkKxPmMZx_DX4d366MP40P5KnNpCkbcgp-dIFDa8At7-TQzYn8eFPfAEdWZzSrQkdUYqx5Vg此时发现告诉面板中不再呈现新的告警,并且 dashboard 曾经获取到集群信息,比方命名空间、Nodes 等等: