使用Google云平台进行kubernetes-dashboard登录的令牌
我在使用谷歌云平台和库伯内特斯。
我试图找出我应该使用哪个令牌才能登录到仪表板,并有足够的权限随心所欲。
我在谷歌云平台上创建了一个3节点的Kubernetes 1.8.6集群
my developer desktop是macos high sierra 10.13.2上的Mac Pro(2013年底),安装了google cloud sdk和kubernetes cli。
~ ❯❯❯ kubectl version ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}
和
~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28
我在文档中读到,为仪表板创建管理员用户是不安全的,不幸的是,仪表板pod的所有权限让我有点困惑。
当我执行kubectl get secrets-n kube system并用kubectl get secret解码其中一个令牌时
然后使用kubectl web proxy登录。我从命令kubectl proxy开始,当我试图查看仪表板web界面中的任何页面时,会出现很多权限错误。我可能没有使用正确的代币。。或者我需要创建一个新令牌。
有没有办法查看代币的权限,这样我就可以在登录前知道我要用什么登录?
所以我运行kubectl来获取库贝-system命名空间中的所有秘密令牌:
~ ❯❯❯ kubectl get secrets -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-4pp92 kubernetes.io/service-account-token 3 10m
certificate-controller-token-bqnjp kubernetes.io/service-account-token 3 10m
cloud-provider-token-ltbnh kubernetes.io/service-account-token 3 10m
cronjob-controller-token-84cl9 kubernetes.io/service-account-token 3 10m
daemon-set-controller-token-ncz5r kubernetes.io/service-account-token 3 10m
default-token-fpmht kubernetes.io/service-account-token 3 10m
deployment-controller-token-4xc8k kubernetes.io/service-account-token 3 10m
disruption-controller-token-9gdqg kubernetes.io/service-account-token 3 10m
endpoint-controller-token-gr29m kubernetes.io/service-account-token 3 10m
event-exporter-sa-token-6klz5 kubernetes.io/service-account-token 3 10m
fluentd-gcp-token-s2kk4 kubernetes.io/service-account-token 3 10m
generic-garbage-collector-token-tqbqz kubernetes.io/service-account-token 3 10m
heapster-token-7pgmr kubernetes.io/service-account-token 3 10m
horizontal-pod-autoscaler-token-74v57 kubernetes.io/service-account-token 3 10m
job-controller-token-2skhj kubernetes.io/service-account-token 3 10m
kube-dns-autoscaler-token-wc9gz kubernetes.io/service-account-token 3 10m
kube-dns-token-nx2tf kubernetes.io/service-account-token 3 10m
kubernetes-dashboard-certs Opaque 0 10m
kubernetes-dashboard-key-holder Opaque 2 9m
kubernetes-dashboard-token-zxp7n kubernetes.io/service-account-token 3 10m
namespace-controller-token-tz54r kubernetes.io/service-account-token 3 10m
node-controller-token-m2w7k kubernetes.io/service-account-token 3 10m
persistent-volume-binder-token-6sfkt kubernetes.io/service-account-token 3 10m
pod-garbage-collector-token-zqxhd kubernetes.io/service-account-token 3 10m
replicaset-controller-token-8n6b7 kubernetes.io/service-account-token 3 10m
replication-controller-token-nb2tw kubernetes.io/service-account-token 3 10m
resourcequota-controller-token-blhfg kubernetes.io/service-account-token 3 10m
route-controller-token-c5ns6 kubernetes.io/service-account-token 3 10m
service-account-controller-token-zptxc kubernetes.io/service-account-token 3 10m
service-controller-token-75hht kubernetes.io/service-account-token 3 10m
statefulset-controller-token-fhpk8 kubernetes.io/service-account-token 3 10m
ttl-controller-token-5vwln kubernetes.io/service-account-token 3 10m
然后我处决了
kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
并使用该令牌登录。
登录后,我收到以下消息:
warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
知道为什么吗?
共有3个答案
我也遇到了同样的问题——在我的案例中,解决方案是从kubectl config view获取访问令牌:
[...]
users:
- name: <YOUR CLUSTER NAME>
user:
auth-provider:
config:
access-token: <YOUR ACCESS TOKEN>
cmd-args: config config-helper --format=json
cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
expiry: 2018-02-12T13:36:51Z
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
[...]
gCloud不将凭据放入kubeconfig中,而是将它们保存在自己的文件中。
有了GKE,你可以为你的GCloud账户获得代币——这比从服务账户中重新使用代币要好得多。
假设您已经安装了jq,您可以像这样获得您的个人访问令牌:
gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token
用gCloud容器连接集群后,集群获取凭据。使用以下命令获取当前上下文的访问令牌
kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '$1=="access-token:"{print $2}'
-
我有一个flask应用程序,它同时运行flask和flask-socketioendpoint。当我在google App engine上部署时,我意识到App engine不支持websockets。这意味着我需要为我的flask-socketio使用compute engine,并为我假设的常规flaskendpoint使用app engine。我将如何创建这两个实例,并在相互连接的同时并行运
-
我遵循了GKE教程,使用beta Inrit类型创建HTTP负载均衡器,并且在使用nginx映像时工作正常。我的问题是为什么Inrit是必要的。 我可以创建一个容器引擎集群,然后创建一个使用库伯内特斯创建的实例组作为服务后端的HTTP负载均衡器,并且一切似乎都运行良好。当仅在部分流程中使用库伯内特斯似乎运行良好时,为什么我要经历使用Inete的所有麻烦?
-
我想查询GSuite Admin SDK Directory API,以返回Go中组中的所有用户,并作为GCP服务帐户进行身份验证(该脚本将在Google Compute Engine VM中执行或作为Google Cloud函数执行)。 我使用的服务帐户(我们称之为 )在GSuite中被授予了必要的作用域: 我还有一个GSuite管理帐户(我们称之为 我能够用以下代码返回一个组中的所有用户(基于
-
我正在寻找一种方法来执行在谷歌云平台的实例启动脚本类似于AWS中的用户数据。我检查‘启动脚本',但它是在每次启动时执行的。有什么办法可以实现吗?
-
我正试图将一个应用程序部署到谷歌云平台。我有我的后端和前端运行在单独的docker容器中,每个项目都有自己的Docker-Compose和Dockerfile,我使用一个容器为我的Postgres数据库。我将容器部署到Dockerhub,并创建了Kubernetes服务和部署。(使用Kubernetes Kompose:所以我首先将docker-compose转换为deployments.yaml
-
我有一个带有javascript的html页面,我想在其中自动登录用户。我有以下代码: 在键斗篷服务器上,我添加了网络起源'*'。我得到以下错误: 邮递http://localhost:8180/auth/realms/Myrealm/protocol/openid-连接/令牌400(错误请求) 我不知道为什么它不起作用。当我使用终端时,它工作正常: (钥匙斗篷版本4.8.3) 我得到以下回应: