gpt4 book ai didi

未使用 Keycloack/Dex 授权的 Kubernetes 仪表板

转载 作者:行者123 更新时间:2023-12-02 11:47:04 25 4
gpt4 key购买 nike

我无法让 kubernetes 允许访问仪表板。我正在使用 dex/keycloack 并且能够成功登录,但随后我从 UI 收到未经授权的消息。浏览器控制台显示:

Couldn't get available api versions from server: Unauthorized\n","status":500

kubernetes 仪表板日志显示多个错误,我安装了 metrics-server 但没有 heapster 所以我不担心第二个:
2019/08/23 12:15:11 Getting application global configuration
2019/08/23 12:15:11 Application configuration {"serverTime":1566562511915}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/settings/global request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Cannot find settings config map: Unauthorized
2019/08/23 12:15:12 Cannot restore settings config map: Unauthorized
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/systembanner request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/login/status request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/rbac/status request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Couldn't get available api versions from server: Unauthorized
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 500 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Getting config category
2019/08/23 12:15:12 Non-critical error occurred during resource retrieval: Unauthorized

2019/08/23 11:47:25 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

我还在 keycloack 日志中看到了这一点,这似乎是问题所在,但我无法确定它为什么会发生。
1.5665671075671058e+09  warn    unable to parse the access token, using id token only   {"error": "malformed JWS, only 1 segments"}

我正在使用以下服务帐户、角色和角色绑定(bind),但我也尝试绑定(bind) k8s-app: kubernetes-dashboard帐户到 cluster-admin没有运气的角色。
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---

最佳答案

事实证明这是我没有阅读文档的情况。我错过了必须将这些添加到 kube-api 服务器的部分。

--oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
--oidc-client-id=loginapp: ID for our Login Application
--oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
--oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.

关于未使用 Keycloack/Dex 授权的 Kubernetes 仪表板,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57625857/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com