通过外部 VIP 或浮动 IP 启用对 Kubernetes Dashboard 的访问
Enable Access for Kubernetes Dashboard via external VIP or Floating IP
我有一个具有以下拓扑的 Kubernetes 集群设置
我已经在集群上部署了 Kubernetes Dashboard,并且能够使用 kubectl 代理访问仪表板。
但是当我尝试使用 URL:
通过浮动 IP/VIP 访问仪表板时
https://<FloatingIP>:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
我最终在浏览器上得到以下响应
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
我知道这个问题是因为 Kubernetes 上的 RBAC 并且围绕这个主题做了一些阅读,但我仍然不清楚需要做什么才能在主集群实现上解决这个问题。我能够在单个主控上成功公开 Dashboard - 具有 NodePort 访问权限的多节点设置,但在集群主控设置中会失败。
我也乐于接受有关在此拓扑中实现仪表板的更好建议。
如果您需要任何其他信息,请告诉我
您将需要创建一个 clusterrole 来授予对 kubernetes-dashboard 的权限并将其绑定到 system:anonymous 用户,如下所示。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-anonymous
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-anonymous
subjects:
- kind: User
name: system:anonymous
编辑:
要应用这些更改,请将其保存到 .yaml(例如:clusterrole.yaml)文件和 运行
kubectl apply -f clusterrole.yaml
我有一个具有以下拓扑的 Kubernetes 集群设置
我已经在集群上部署了 Kubernetes Dashboard,并且能够使用 kubectl 代理访问仪表板。
但是当我尝试使用 URL:
通过浮动 IP/VIP 访问仪表板时https://<FloatingIP>:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
我最终在浏览器上得到以下响应
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
我知道这个问题是因为 Kubernetes 上的 RBAC 并且围绕这个主题做了一些阅读,但我仍然不清楚需要做什么才能在主集群实现上解决这个问题。我能够在单个主控上成功公开 Dashboard - 具有 NodePort 访问权限的多节点设置,但在集群主控设置中会失败。
我也乐于接受有关在此拓扑中实现仪表板的更好建议。
如果您需要任何其他信息,请告诉我
您将需要创建一个 clusterrole 来授予对 kubernetes-dashboard 的权限并将其绑定到 system:anonymous 用户,如下所示。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-anonymous
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-anonymous
subjects:
- kind: User
name: system:anonymous
编辑: 要应用这些更改,请将其保存到 .yaml(例如:clusterrole.yaml)文件和 运行
kubectl apply -f clusterrole.yaml