Google 云平台使用哪个令牌登录 kubernetes-dashboard
which token to use for kubernetes-dashboard login with Google cloud platform
我正在使用 Google 云平台和 Kubernetes。
我正在尝试找出我应该使用哪个令牌才能登录到仪表板并获得足够的权限来执行我想做的事情。
我在 Google Cloud Platform
上创建了一个 3 节点 Kubernetes 1.8.6 集群
我的开发人员桌面是 Mac Pro(2013 年末),在 macos high sierra 10.13.2 上安装了 google-cloud-sdk 和 kubernetes-cli 从 homebrew 安装。
~ ❯❯❯ kubectl version ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}
和
~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28
我在文档中了解到,为仪表板创建管理员用户并不安全,不幸的是,对仪表板 pod 的所有权限让我有点困惑。
当我执行 kubectl get secrets -n kube-system 并使用 kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
解码其中一个标记时
并使用它来使用 kubectl web 代理登录 我从命令 kubectl proxy 开始,当我尝试查看仪表板 web 界面中的任何页面时,我遇到了很多权限错误。我可能没有使用正确的令牌..或者我需要创建一个新令牌。
有没有办法查看令牌的权限,以便我事先知道我实际尝试登录的是什么?
更新
所以我 运行 kubectl 获取 kube-system 命名空间中的所有秘密令牌:
~ ❯❯❯ kubectl get secrets -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-4pp92 kubernetes.io/service-account-token 3 10m
certificate-controller-token-bqnjp kubernetes.io/service-account-token 3 10m
cloud-provider-token-ltbnh kubernetes.io/service-account-token 3 10m
cronjob-controller-token-84cl9 kubernetes.io/service-account-token 3 10m
daemon-set-controller-token-ncz5r kubernetes.io/service-account-token 3 10m
default-token-fpmht kubernetes.io/service-account-token 3 10m
deployment-controller-token-4xc8k kubernetes.io/service-account-token 3 10m
disruption-controller-token-9gdqg kubernetes.io/service-account-token 3 10m
endpoint-controller-token-gr29m kubernetes.io/service-account-token 3 10m
event-exporter-sa-token-6klz5 kubernetes.io/service-account-token 3 10m
fluentd-gcp-token-s2kk4 kubernetes.io/service-account-token 3 10m
generic-garbage-collector-token-tqbqz kubernetes.io/service-account-token 3 10m
heapster-token-7pgmr kubernetes.io/service-account-token 3 10m
horizontal-pod-autoscaler-token-74v57 kubernetes.io/service-account-token 3 10m
job-controller-token-2skhj kubernetes.io/service-account-token 3 10m
kube-dns-autoscaler-token-wc9gz kubernetes.io/service-account-token 3 10m
kube-dns-token-nx2tf kubernetes.io/service-account-token 3 10m
kubernetes-dashboard-certs Opaque 0 10m
kubernetes-dashboard-key-holder Opaque 2 9m
kubernetes-dashboard-token-zxp7n kubernetes.io/service-account-token 3 10m
namespace-controller-token-tz54r kubernetes.io/service-account-token 3 10m
node-controller-token-m2w7k kubernetes.io/service-account-token 3 10m
persistent-volume-binder-token-6sfkt kubernetes.io/service-account-token 3 10m
pod-garbage-collector-token-zqxhd kubernetes.io/service-account-token 3 10m
replicaset-controller-token-8n6b7 kubernetes.io/service-account-token 3 10m
replication-controller-token-nb2tw kubernetes.io/service-account-token 3 10m
resourcequota-controller-token-blhfg kubernetes.io/service-account-token 3 10m
route-controller-token-c5ns6 kubernetes.io/service-account-token 3 10m
service-account-controller-token-zptxc kubernetes.io/service-account-token 3 10m
service-controller-token-75hht kubernetes.io/service-account-token 3 10m
statefulset-controller-token-fhpk8 kubernetes.io/service-account-token 3 10m
ttl-controller-token-5vwln kubernetes.io/service-account-token 3 10m
然后我执行了
kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
并使用该令牌登录。
登录后我收到以下消息:
warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
有什么想法吗?
kube-system 命名空间中的所有机密都具有完全访问权限。
您可以创建新的机密,需要授予 this 访问权限
我遇到了同样的问题 - 在我的情况下,解决方案是从 kubectl config view:
获取访问令牌
[...]
users:
- name: <YOUR CLUSTER NAME>
user:
auth-provider:
config:
access-token: <YOUR ACCESS TOKEN>
cmd-args: config config-helper --format=json
cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
expiry: 2018-02-12T13:36:51Z
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
[...]
将集群与 gcloud 容器集群连接后 get-credentials。
使用以下命令获取 current-context
的访问令牌
kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '=="access-token:"{print }'
更可靠的替代方法是使用 jsonpath:
kubectl config view -o jsonpath="{.users[?(@.name == \"$(kubectl config current-context)\")].user.auth-provider.config.access-token}"
gcloud 不会将凭据放入 kubeconfig 中,而是将它们保存在自己的文件中。
使用 GKE,您可以为您的 GCloud 帐户获取一个令牌 - 比从服务帐户重新利用一个令牌要好得多。
假设您已安装 jq,您可以像这样获取您的个人访问令牌:
gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token
我正在使用 Google 云平台和 Kubernetes。
我正在尝试找出我应该使用哪个令牌才能登录到仪表板并获得足够的权限来执行我想做的事情。
我在 Google Cloud Platform
上创建了一个 3 节点 Kubernetes 1.8.6 集群我的开发人员桌面是 Mac Pro(2013 年末),在 macos high sierra 10.13.2 上安装了 google-cloud-sdk 和 kubernetes-cli 从 homebrew 安装。
~ ❯❯❯ kubectl version ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}
和
~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28
我在文档中了解到,为仪表板创建管理员用户并不安全,不幸的是,对仪表板 pod 的所有权限让我有点困惑。
当我执行 kubectl get secrets -n kube-system 并使用 kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
并使用它来使用 kubectl web 代理登录 我从命令 kubectl proxy 开始,当我尝试查看仪表板 web 界面中的任何页面时,我遇到了很多权限错误。我可能没有使用正确的令牌..或者我需要创建一个新令牌。
有没有办法查看令牌的权限,以便我事先知道我实际尝试登录的是什么?
更新
所以我 运行 kubectl 获取 kube-system 命名空间中的所有秘密令牌:
~ ❯❯❯ kubectl get secrets -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-4pp92 kubernetes.io/service-account-token 3 10m
certificate-controller-token-bqnjp kubernetes.io/service-account-token 3 10m
cloud-provider-token-ltbnh kubernetes.io/service-account-token 3 10m
cronjob-controller-token-84cl9 kubernetes.io/service-account-token 3 10m
daemon-set-controller-token-ncz5r kubernetes.io/service-account-token 3 10m
default-token-fpmht kubernetes.io/service-account-token 3 10m
deployment-controller-token-4xc8k kubernetes.io/service-account-token 3 10m
disruption-controller-token-9gdqg kubernetes.io/service-account-token 3 10m
endpoint-controller-token-gr29m kubernetes.io/service-account-token 3 10m
event-exporter-sa-token-6klz5 kubernetes.io/service-account-token 3 10m
fluentd-gcp-token-s2kk4 kubernetes.io/service-account-token 3 10m
generic-garbage-collector-token-tqbqz kubernetes.io/service-account-token 3 10m
heapster-token-7pgmr kubernetes.io/service-account-token 3 10m
horizontal-pod-autoscaler-token-74v57 kubernetes.io/service-account-token 3 10m
job-controller-token-2skhj kubernetes.io/service-account-token 3 10m
kube-dns-autoscaler-token-wc9gz kubernetes.io/service-account-token 3 10m
kube-dns-token-nx2tf kubernetes.io/service-account-token 3 10m
kubernetes-dashboard-certs Opaque 0 10m
kubernetes-dashboard-key-holder Opaque 2 9m
kubernetes-dashboard-token-zxp7n kubernetes.io/service-account-token 3 10m
namespace-controller-token-tz54r kubernetes.io/service-account-token 3 10m
node-controller-token-m2w7k kubernetes.io/service-account-token 3 10m
persistent-volume-binder-token-6sfkt kubernetes.io/service-account-token 3 10m
pod-garbage-collector-token-zqxhd kubernetes.io/service-account-token 3 10m
replicaset-controller-token-8n6b7 kubernetes.io/service-account-token 3 10m
replication-controller-token-nb2tw kubernetes.io/service-account-token 3 10m
resourcequota-controller-token-blhfg kubernetes.io/service-account-token 3 10m
route-controller-token-c5ns6 kubernetes.io/service-account-token 3 10m
service-account-controller-token-zptxc kubernetes.io/service-account-token 3 10m
service-controller-token-75hht kubernetes.io/service-account-token 3 10m
statefulset-controller-token-fhpk8 kubernetes.io/service-account-token 3 10m
ttl-controller-token-5vwln kubernetes.io/service-account-token 3 10m
然后我执行了
kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt
并使用该令牌登录。
登录后我收到以下消息:
warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
有什么想法吗?
kube-system 命名空间中的所有机密都具有完全访问权限。
您可以创建新的机密,需要授予 this 访问权限
我遇到了同样的问题 - 在我的情况下,解决方案是从 kubectl config view:
[...]
users:
- name: <YOUR CLUSTER NAME>
user:
auth-provider:
config:
access-token: <YOUR ACCESS TOKEN>
cmd-args: config config-helper --format=json
cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
expiry: 2018-02-12T13:36:51Z
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
[...]
将集群与 gcloud 容器集群连接后 get-credentials。 使用以下命令获取 current-context
的访问令牌kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '=="access-token:"{print }'
kubectl config view -o jsonpath="{.users[?(@.name == \"$(kubectl config current-context)\")].user.auth-provider.config.access-token}"
gcloud 不会将凭据放入 kubeconfig 中,而是将它们保存在自己的文件中。
使用 GKE,您可以为您的 GCloud 帐户获取一个令牌 - 比从服务帐户重新利用一个令牌要好得多。
假设您已安装 jq,您可以像这样获取您的个人访问令牌:
gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token