备忘录:解决显示Kubernetes仪表板的问题

1 年 ago
韵, 科
2 minutes

事象:kubernetes-dashboard.yamlを kubectl apply しようとしてエラーを出る

在与kubernetes-dashboard-minimal相关的权限方面出现错误。

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
secret "kubernetes-dashboard-certs" created
serviceaccount "kubernetes-dashboard" created
rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
deployment.apps "kubernetes-dashboard" created
service "kubernetes-dashboard" created
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml": roles.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:[""], Resources:["secrets"],
:
:
Got error: exit status 1

解决方案:将自己的账户(电子邮件)设置为管理员。

$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user $(gcloud config get-value account)
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding created

参考: https://github.com/kubernetes/dashboard/issues/2415\#issuecomment-391648932

现象:虽然可以打开仪表板,但无法访问资源。

image.png

错误消息 (錯誤訊息)

configmaps is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list configmaps in the namespace "default"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list persistentvolumeclaims in the namespace "default"

解决方案:通过添加管理员权限,使用管理员令牌进行访问。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

# 適用
$ kubectl create -f add-admin-user.yaml

# NAMEの確認
$ kubectl get secrets -n kube-system | grep admin-user
admin-user-token-rr88x                           kubernetes.io/service-account-token   3      4h

# NAMEの確認
$ kubectl describe secret admin-user-token-rr88x -n kube-system
Name:         admin-user-token-rr88x
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: ef10a79f-XXXX-11e9-a17f-42010X92005e

Type:  kubernetes.io/service-account-token

Data
====
namespace:  11 bytes
token:      eyJhbGciXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

使用该令牌进行登录

undefined

请参考链接:https://qiita.com/sugimount/items/689b7cd172c7eaf1235f

注意事项:通过以下命令一次性获取管理员用户的令牌

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^admin-user-token-/{print $1}') | awk '$1=="token:"{print $2}'
eyJhbGciXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
广告
将在 10 秒后关闭
bannerAds