部署好 K8S dashboard 之后,首次登录,通常会在右上角通知面板中出现很多告警:
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "configmaps" in API group "" in the namespace "default"
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "secrets" in API group "" in the namespace "default"
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "services" in API group "" in the namespace "default"
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "ingresses" in API group "extensions" in the namespace "default"
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "daemonsets" in API group "apps" in the namespace "default"
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "pods" in API group "" in the namespace "default"
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "events" in API group "" in the namespace "default"
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default"
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicasets" in API group "apps" in the namespace "default"
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "jobs" in API group "batch" in the namespace "default"
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "cronjobs" in API group "batch" in the namespace "default"
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "replicationcontrollers" in API group "" in the namespace "default"
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "statefulsets" in API group "apps" in the namespace "default"
这是 rbac 权限问题。
此时 dashboard 还不能正常使用,dashboard 是空的,比如命名空间。此时还不能获取到集群的信息:
解决办法:
先创建一个账号,再创建一个有全部权限的 clusterroles,将二者用 clusterrolebinding 绑定起来。
安装 yaml 文件时,已创建了一个名为 kubernetes-dashboard 的服务账户(serviceaccount),查看其详情:
[root@k8s-master k8s-install]# kubectl describe serviceaccount/kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-token-csmm7
Tokens: kubernetes-dashboard-token-csmm7
Events: <none>而 kubernetes 集群安装好后,会自动生成一些 clusterroles 集群权限对象,可以用下面的命令查看:
[root@k8s-master k8s-install]# kubectl get clusterroles
NAME CREATED AT
admin 2022-02-18T07:35:48Z
cluster-admin 2022-02-18T07:35:48Z
edit 2022-02-18T07:35:48Z
flannel 2022-02-18T08:54:43Z
kubeadm:get-nodes 2022-02-18T07:35:50Z
kubernetes-dashboard 2022-06-07T05:37:31Z
system:aggregate-to-admin 2022-02-18T07:35:48Z
system:aggregate-to-edit 2022-02-18T07:35:48Z
system:aggregate-to-view 2022-02-18T07:35:48Z
system:auth-delegator 2022-02-18T07:35:48Z
system:basic-user 2022-02-18T07:35:48Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-02-18T07:35:48Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-02-18T07:35:48Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:kubelet-serving-approver 2022-02-18T07:35:48Z
system:certificates.k8s.io:legacy-unknown-approver 2022-02-18T07:35:48Z
system:controller:attachdetach-controller 2022-02-18T07:35:48Z
system:controller:certificate-controller 2022-02-18T07:35:48Z
system:controller:clusterrole-aggregation-controller 2022-02-18T07:35:48Z
system:controller:cronjob-controller 2022-02-18T07:35:48Z
system:controller:daemon-set-controller 2022-02-18T07:35:48Z
system:controller:deployment-controller 2022-02-18T07:35:48Z
system:controller:disruption-controller 2022-02-18T07:35:48Z
system:controller:endpoint-controller 2022-02-18T07:35:48Z
system:controller:endpointslice-controller 2022-02-18T07:35:48Z
system:controller:endpointslicemirroring-controller 2022-02-18T07:35:48Z
system:controller:ephemeral-volume-controller 2022-02-18T07:35:48Z
system:controller:expand-controller 2022-02-18T07:35:48Z
system:controller:generic-garbage-collector 2022-02-18T07:35:48Z
system:controller:horizontal-pod-autoscaler 2022-02-18T07:35:48Z
system:controller:job-controller 2022-02-18T07:35:48Z
system:controller:namespace-controller 2022-02-18T07:35:48Z
system:controller:node-controller 2022-02-18T07:35:48Z
system:controller:persistent-volume-binder 2022-02-18T07:35:48Z
system:controller:pod-garbage-collector 2022-02-18T07:35:48Z
system:controller:pv-protection-controller 2022-02-18T07:35:48Z
system:controller:pvc-protection-controller 2022-02-18T07:35:48Z
system:controller:replicaset-controller 2022-02-18T07:35:48Z
system:controller:replication-controller 2022-02-18T07:35:48Z
system:controller:resourcequota-controller 2022-02-18T07:35:48Z
system:controller:root-ca-cert-publisher 2022-02-18T07:35:48Z
system:controller:route-controller 2022-02-18T07:35:48Z
system:controller:service-account-controller 2022-02-18T07:35:48Z
system:controller:service-controller 2022-02-18T07:35:48Z
system:controller:statefulset-controller 2022-02-18T07:35:48Z
system:controller:ttl-after-finished-controller 2022-02-18T07:35:48Z
system:controller:ttl-controller 2022-02-18T07:35:48Z
system:coredns 2022-02-18T07:35:50Z
system:discovery 2022-02-18T07:35:48Z
system:heapster 2022-02-18T07:35:48Z
system:kube-aggregator 2022-02-18T07:35:48Z
system:kube-controller-manager 2022-02-18T07:35:48Z
system:kube-dns 2022-02-18T07:35:48Z
system:kube-scheduler 2022-02-18T07:35:48Z
system:kubelet-api-admin 2022-02-18T07:35:48Z
system:monitoring 2022-02-18T07:35:48Z
system:node 2022-02-18T07:35:48Z
system:node-bootstrapper 2022-02-18T07:35:48Z
system:node-problem-detector 2022-02-18T07:35:48Z
system:node-proxier 2022-02-18T07:35:48Z
system:persistent-volume-provisioner 2022-02-18T07:35:48Z
system:public-info-viewer 2022-02-18T07:35:48Z
system:service-account-issuer-discovery 2022-02-18T07:35:48Z
system:volume-scheduler 2022-02-18T07:35:48Z
view 2022-02-18T07:35:48Z详细地看一下集群管理员 cluster-admin ,*号表示对所有资源有所有权限:
[root@k8s-master k8s-install]# kubectl describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]将服务账户 kubernetes-dashboard 跟 cluster-admin 这个集群管理员权限对象绑定起来:
[root@k8s-master k8s-install]# cat kubernetes-dashboard-ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system执行:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created注意:
不要弄错 apiVersion,否则会报错如下:
[root@k8s-master k8s-install]# kubectl create -f kubernetes-dashboard-ClusterRoleBinding.yaml
error: unable to recognize "kubernetes-dashboard-ClusterRoleBinding.yaml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
查看是否创建成功:
[root@k8s-master k8s-install]# kubectl get clusterrolebindings kubernetes-dashboard
NAME ROLE AGE
kubernetes-dashboard ClusterRole/cluster-admin 33s
获取 token 再次登录:
[root@k8s-master k8s-install]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token | awk '{print $1}')
Name: kubernetes-dashboard-token-csmm7
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: cdfe26a2-286c-45de-80f5-f20647d07dfd
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlRtcmtMa01qeHVrOTV0VmhJLWUyOVZUTDV1aDhJWmx2X1RSZVFRSnFySzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1jc21tNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkZmUyNmEyLTI4NmMtNDVkZS04MGY1LWYyMDY0N2QwN2RmZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.ZvT_rLcs7B9Ja2fhDQcqo5Rcds2BPvf8Gbtb_dcmNmD36pHn6i3WPACoD1sgzfs3smFM2KsHCwmagBCqL-3941xXUv_FcHrMhGPkUyfWqn55U3-N9oxHns-vkDsPm0_0P8QlqzjRCIzed9fnatQMfeoenO6e7OZetakGQsTedJUv3QybUOGEqVlTPImTQzDlP21Yh_6CsoIstAXkwgSdGlogqCUk8FdNk1p8pukYglvZ3tR2ieXIERrROHjVi-g3c6mygf5Dc_cWaPSkKxPmMZx_DX4d366MP40P5KnNpCkbcgp-dIFDa8At7-TQzYn8eFPfAEdWZzSrQkdUYqx5Vg此时发现通知面板中不再出现新的告警,并且 dashboard 已经获取到集群信息,比如命名空间、Nodes 等等:
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。