k8s系列--- dashboard认证及分级授权

http://blog.itpub.net/28916011/viewspace-2215214/

因版本不一样,略有改动

 

 Dashboard官方地址: https://github.com/kubernetes/dashboard

dashbord是作为一个pod来运行,需要serviceaccount账号来登录。

先给dashboad创建一个专用的认证信息。

先建立私钥

[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# (umask 077; openssl genrsa -out dashboard.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................................................................+++
.................................+++

  

 建立一个证书签署请求:

[root@master pki]# openssl req -new -key dashboard.key  -out dashboard.csr -subj "/O=zhixin/CN=dashboard"

 

下面开始签署证书:

 [root@master pki]# openssl  x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out dashboard.crt -days 365
Signature ok
subject=/O=zhixin/CN=dashboard
Getting CA Private Key

  

把上面生成的私钥和证书创建成secret

[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt  --from-file=dashboard.key=./dashboard.key 
secret/dashboard-cert created
[root@master pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-cert                                   Opaque                                2         5m

  

创建一个serviceaccount,因为dashborad需要serviceaccount(pod之间登录验证的用户)验证登录。

 

 

[root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created

  

[root@master pki]# kubectl get sa -n kube-system |grep admin
dashboard-admin                      1         23s

  

下面通过clusterrolebinding把dashboard-admin加入到clusterrole里面。

 

[root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created

  

      这样serviceaccount 用户dashboard-admin就拥有了管理所有集群的权限。 

 

[root@master pki]# kubectl get secret -n kube-system |grep dashboard
dashboard-admin-token-hfxg9                      kubernetes.io/service-account-token   3         7m

  

[root@master pki]# kubectl describe secret dashboard-admin-token-hfxg9 -n kube-system
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbJdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-aIn6LL4aekUwBqbwOLQ

  

  上面的token就是serviceaccount用户dashboad-admin的认证令牌。

  下面开始部署dashboard

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
//具体链接还得去git上去参考官方给的提示https://github.com/kubernetes/dashboard
//因我这里一直访问不到gcr,之前通过阿里的代理去获取镜像,不知道这次怎么不行了。
//所以单独把上面的yaml下载下来,然后改了image地址

  

修改了Dashboard Deployment下面的image来源

[root@master dashboard]# cat kubernetes-dashboard.yaml 
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kube-system
type: Opaque---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: kubernetes-dashboard-minimalnamespace: kube-system
rules:# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]resources: ["secrets"]verbs: ["create"]# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]resources: ["configmaps"]verbs: ["create"]# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]resources: ["services"]resourceNames: ["heapster"]verbs: ["proxy"]
- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:"]verbs: ["get"]---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: kubernetes-dashboard-minimalnamespace: kube-system
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccountname: kubernetes-dashboardnamespace: kube-system---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:containers:- name: kubernetes-dashboardimage: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1imagePullPolicy: IfNotPresentports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:port
        volumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboard# Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system
spec:ports:- port: 443targetPort: 8443selector:k8s-app: kubernetes-dashboard
修改的yaml文件

修改完成之后才apply的

[root@master dashboard]# kubectl apply -f kubernetes-dashboard.yaml 

 

[root@master ~]# kubectl get pods -n kube-system
NAME                                   READY     STATUS    RESTARTS   AGE
kubernetes-dashboard-767dc7d4d-4mq9z   1/1       Running   2          2h

  

[root@master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10    <none>        53/UDP,53/TCP   21d
kubernetes-dashboard   ClusterIP   10.104.8.78   <none>        443/TCP         45m

  

[root@master ~]# kubectl  patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched

  

[root@master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10    <none>        53/UDP,53/TCP   21d
kubernetes-dashboard   NodePort    10.104.8.78   <none>        443:31647/TCP   47m

  

 这样我们就可以在集群外部使用31647端口访问dashboard了,ip就使用node master宿主机的ip。 

 用浏览器打开: https://172..16.1.100:31647,并把上面得到的token粘贴到令牌里面进行登录:

 注意,要用火狐浏览器打开,其他浏览器打不开的,是https的    。。。注意注意!!!    

 

    

    上面认证的方法,这个用户能看到所有集群的所有东西,是个超级管理员。下面我们再设置个用户,限定它只能访问default名称空间。

[root@master ~]# kubectl create serviceaccount def-ns-admin -n default
serviceaccount/def-ns-admin created

  

[root@master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created

  

[root@master ~]# kubectl get secret
NAME                       TYPE                                  DATA      AGE
admin-token-6jpc5          kubernetes.io/service-account-token   3         1d
def-ns-admin-token-646gx   kubernetes.io/service-account-token   3         2m

  

[root@master ~]# kubectl describe secret def-ns-admin-token-646gx
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

  

 把上面的token登录到web页面的令牌,登录进去后只能看default名称空间的内容。 

    

    下面我们再用Kubeconf的方法来验证登录试试。

[root@master pki]# cd /etc/kubernetes/pki

  

[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://172.16.1.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.

  

[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 
apiVersion: v1
clusters:
- cluster:certificate-authority-data: REDACTEDserver: https://172.16.1.100:6443name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

  

[root@master pki]# kubectl get secret
NAME                       TYPE                                  DATA      AGE
admin-token-6jpc5          kubernetes.io/service-account-token   3         1d
def-ns-admin-token-646gx   kubernetes.io/service-account-token   3         33m

  

[root@master pki]# kubectl get secret  def-ns-admin-token-646gx  -o json"token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRqTHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh4Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="

  

[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret  def-ns-admin-token-646gx  -o jsonpath={.data.token}|base64 -d)

  

[root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf 
User "def-ns-admin" set.

  

[root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf 
apiVersion: v1
clusters:
- cluster:certificate-authority-data: REDACTEDserver: https://172.16.1.100:6443name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin

  

[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 
Context "def-ns-admin@kubernetes" created.

  

[root@master pki]# kubectl config view  --kubeconfig=/root/def-ns-admin.conf 
apiVersion: v1
clusters:
- cluster:certificate-authority-data: REDACTEDserver: https://172.16.1.100:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: def-ns-adminname: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-adminuser:token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

  

[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf 
Switched to context "def-ns-admin@kubernetes".

  

[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf 
apiVersion: v1
clusters:
- cluster:certificate-authority-data: REDACTEDserver: https://172.16.1.100:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: def-ns-adminname: def-ns-admin@kubernetes
current-context: def-ns-admin@kubernetes
kind: Config
preferences: {}
users:
- name: def-ns-adminuser:token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

  

   这时候/root/def-ns-admin.conf文件就可以用在dashboard中,把这个文件拉下来。用它进行登录了。

总结

     1、部署: 

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

  

   2、将service改为NodePort: 

 kubectl  patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system

  

 3、认证: 

        认证时的账户必须为ServiceAccount:作用是被dashboard pod拿来由kubernetes进行认证。 

        第一种:token方式认证: 

            a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole; 

            b)获取到此serviceAccount的secret,查看secret的详细信息,其中就有token,粘贴到web界面的令牌里面 

        第二种: kubeconfig方式认证: 把serviceaccount的token封装为kubeconfig文件。 

            a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

            b)

        kubect get secret | awk '/^ServiceAccountName/{print $1}'

       KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret  SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)

            c) 生成kubeconfig文件 

            kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE 

            kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE

            kubctl config set-context 

            kubectl config use-context 

 

kubernetes集群的管理方式

    1、命令式:create,run,expose,delete,edit.... 

    2、命令式配置文件:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f  

    3、声明式配置文件:apply -f,patch, 

    一般建议不要混合使用上面三种方式。建议使用apply和patch这样的命令。 

 

转载于:https://www.cnblogs.com/dribs/p/10314990.html

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/387536.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

JAVA项目开发

16年java软件开发经验&#xff0c;全职项目开发&#xff0c;项目可签合同、开普票和专票。 主要承接项目&#xff1a; 1、网站开发项目 自主开发千帆CMS动态发布系统&#xff0c;基于java/springboot2/jpa/easyui开发&#xff0c;简单易用&#xff0c;后台与前端分离&#xff0…

unity3d 任务头上的血条

人物的名称与血条的绘制方法很简单&#xff0c;但是我们需要解决的问题是如何在3D世界中寻找合适的坐标。因为3D世界中的人物是会移动的&#xff0c;它是在3D世界中移动&#xff0c;并不是在2D平面中移动&#xff0c;但是我们需要将3D的人物坐标换算成2D平面中的坐标&#xff0…

unity3d 预制体

首先要说明一下什么是预制体&#xff1f; 在Unity3D里面我们叫它Prefab&#xff1b;我们也可以这样理解&#xff1a;当制作好了游戏组件&#xff08;场景中的任意一个gameobject &#xff09;,我们希望将它制作成一个组件模版&#xff0c;用于批量的套用工作&#xff0c;例如说…

Python小数据池,代码块

今日内容一些小的干货 一. id is 二. 代码块三. 小数据池四. 总结python小数据池&#xff0c;代码块的最详细、深入剖析 一. id is 二. 代码块三. 小数据池四. 总结一&#xff0c;id&#xff0c;is&#xff0c; 在Python中&#xff0c;id是什么&#xff1f;id是内存地址…

【Wax】使用Wax (framework方式,XCode 4.6)

前情提示&#xff1a;【Wax】使用Wax &#xff08;非framework方式&#xff0c;XCode 4.6&#xff09; 这次&#xff0c;将以framework的方式来使用Wax 那么&#xff0c;让我们开始吧&#xff01;&#xff01;&#xff01; 准备工作&#xff1a; 下载wax.framework&#xff1a;…

unity3d 简单动画

1&#xff0c;动画系统配置 创建游戏对象并添加Animation组件&#xff0c;然后将动画文件拖入组件。 进入动画文件的Debug属性面板 选中Legacy属性 选中游戏对象&#xff0c;打开Animation编辑窗口 添加动画变化属性 需改关键帧的属性值 配置完成后运行即可得到动画效果 2&…

3dmax导出到unity3d下分割动画

1、在3dmax 导出时候&#xff0c;要导出FBX文件&#xff0c;同时包含动画&#xff0c;骨骼&#xff0c;皮肤等内容 2、把FBX文件导入到Unity3d后会默认有一个超长的大动画&#xff0c;就是一个整体的动画&#xff0c;如图Take001&#xff0c;这个时候要分割哪部分是跑&#xf…

Unity3d之AssetBundle打包与读取

一、创建Assetbundle 在unity3d开发的游戏中&#xff0c;无论模型&#xff0c;音频&#xff0c;还是图片等&#xff0c;我们都做成Prefab&#xff0c;然后打包成Assetbundle&#xff0c;方便我们后面的使用&#xff0c;来达到资源的更新。 一个Assetbundle可以打包一个模型&…

unity3d 各个目录的意思

1.首先&#xff0c;你得理解Unity中各个目录的意思&#xff1f; 我这里说的是移动平台&#xff08;安卓举例&#xff09;&#xff0c;读&#xff0c;写。所谓读&#xff0c;就是你出大版本的包之后&#xff0c;这个只读的话&#xff0c;就一辈子就这些东西了&#xff0c;不会改…

asp.net core根据用户权限控制页面元素的显示

asp.net core根据用户权限控制页面元素的显示 Intro 在 web 应用中我们经常需要根据用户的不同允许用户访问不同的资源&#xff0c;显示不同的内容&#xff0c;之前做了一个 AccessControlHelper 的项目&#xff0c;就是解决这个问题的。 asp.net core 支持 TagHelper 和 基于 …

Java面向对象(二)

source:http://blog.java1234.com/index.html?typeId1 Java类的继承 1&#xff0c;继承定义以及基本使用 定义&#xff1a;子类能够继承父类的属性和方法&#xff1b; 注意点&#xff1a;Java中只支持单继承&#xff1b; 私有方法不能继承&#xff1b; 2&#xff0c;方法重写 …

游戏通讯方式

农药自从上线以来&#xff0c;依靠着强大的产品力以及腾讯的运营能力&#xff0c;在游戏市场上表现可谓是风生水起&#xff0c;根据第三方的调研数据显示&#xff0c;《王者荣耀》渗透率达到22.3%&#xff0c;用户规模达到2.01亿人&#xff0c;每日的日活跃用户&#xff08;DAU…

小小c#算法题 - 3 - 字符串语句反转

题目&#xff1a;反转语句。 如I love Beijing! 反转后输出 !Beijing love I 特点是指反转单词的顺序&#xff0c;其他字符&#xff08;这个可以自己指定&#xff09;不反转。且不能用内置函数&#xff0c;如Split和Substring。 分析&#xff1a;我们需要保证一个单词的字…

unity5.4.3p2里面的AssetBundle打包流程

unity5.4.3p2里面的AssetBundle打包流程&#xff0c;相比之前unity4.x的打包简单了许多&#xff0c;Unity4.X中打包的时候需要自己去管理依赖关系&#xff0c;各种BuildPipeline.PushAssetDependencies()和BuildPipeline.PopAssetDependencies()&#xff0c;一不小心手一抖&…

主成分分析(PCA)原理详解 2016/12/17 · IT技术 · 主成分分析, 数学 分享到: 21 原文出处: 中科春哥 一、PCA简介 1. 相关背景 主成分分析(Principa

主成分分析&#xff08;PCA&#xff09;原理详解 2016/12/17 IT技术 主成分分析, 数学 分享到&#xff1a;21原文出处&#xff1a; 中科春哥 一、PCA简介 1. 相关背景 主成分分析&#xff08;Principal Component Analysis&#xff0c;PCA&#xff09;&#xff0c; 是一种统…

【Tensorflow】 Object_detection之训练PASCAL VOC数据集

参考&#xff1a;Running Locally 1、检查数据、config文件是否配置好 可参考之前博客&#xff1a; Tensorflow Object_detection之配置Training Pipeline Tensorflow Object_detection之准备数据生成TFRecord 2、训练模型 PIPELINE_CONFIG_PATH/data/zxx/models/research/date…

R文件报错的原因

一般R文件报错&#xff0c;无非是资源文件错误&#xff0c;图片命名错误&#xff0c;但是编译都会报错&#xff0c;可以很快解决。但是前几天&#xff0c;引入一个第三方aar包后&#xff0c;项目编译正确&#xff0c;但是就是R文件报错&#xff0c;找不到R文件&#xff0c;整个…

[转]Excel数据转化为sql脚本

在实际项目开发中&#xff0c;有时会遇到客户让我们把大量Excel数据导入数据库的情况。这时我们就可以通过将Excel数据转化为sql脚本来批量导入数据库。 1 在数据前插入一列单元格&#xff0c;用来拼写sql语句。 具体写法&#xff1a;"insert into t_student (id,name,age…

void Update ( ) 更新 void FixedUpdate ( )

void Update ( ) 更新 void FixedUpdate ( ) 固定更新 相同点&#xff1a;当MonoBehaviour启用时&#xff0c;其在每一帧被调用&#xff0c;都是用来更新的。 异同点&#xff1a;第一点不同&#xff1a; Update()每一帧的时间不固定&#xff0c;即第一帧与第二帧的时间间隔t…

【点分治】luoguP2664 树上游戏

应该是一道中等难度的点分&#xff1f;麻烦在一些细节。 题目描述 lrb有一棵树&#xff0c;树的每个节点有个颜色。给一个长度为n的颜色序列&#xff0c;定义s(i,j) 为i 到j 的颜色数量。以及 现在他想让你求出所有的sum[i] 输入输出格式 输入格式&#xff1a; 第一行为一个整数…