个人中心
gpt4 book ai didi

未使用 Keycloack/Dex 授权的 Kubernetes 仪表板

转载 作者:行者123 更新时间:2023-12-02 11:47:04 24 4
gpt4 key购买 nike

我无法让 kubernetes 允许访问仪表板。我正在使用 dex/keycloack 并且能够成功登录,但随后我从 UI 收到未经授权的消息。浏览器控制台显示:

Couldn't get available api versions from server: Unauthorized\n","status":500

kubernetes 仪表板日志显示多个错误,我安装了 metrics-server 但没有 heapster 所以我不担心第二个: 
2019/08/23 12:15:11 Getting application global configuration
2019/08/23 12:15:11 Application configuration {"serverTime":1566562511915}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/settings/global request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Cannot find settings config map: Unauthorized
2019/08/23 12:15:12 Cannot restore settings config map: Unauthorized
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/systembanner request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/login/status request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 200 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/rbac/status request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Couldn't get available api versions from server: Unauthorized
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Outcoming response to 192.168.2.12:38700 with 500 status code
2019/08/23 12:15:12 [2019-08-23T12:15:12Z] Incoming HTTP/1.1 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 192.168.2.12:38700: {}
2019/08/23 12:15:12 Getting config category
2019/08/23 12:15:12 Non-critical error occurred during resource retrieval: Unauthorized

2019/08/23 11:47:25 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

我还在 keycloack 日志中看到了这一点,这似乎是问题所在,但我无法确定它为什么会发生。 
1.5665671075671058e+09  warn    unable to parse the access token, using id token only   {"error": "malformed JWS, only 1 segments"}

我正在使用以下服务帐户、角色和角色绑定(bind),但我也尝试绑定(bind) k8s-app: kubernetes-dashboard帐户到 cluster-admin没有运气的角色。 
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---

最佳答案

事实证明这是我没有阅读文档的情况。我错过了必须将这些添加到 kube-api 服务器的部分。

--oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
--oidc-client-id=loginapp: ID for our Login Application
--oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
--oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.

关于未使用 Keycloack/Dex 授权的 Kubernetes 仪表板,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57625857/

24 4 0
文章推荐: android - 更新 androidx.constraintlayout :constraintlayout lib to 2. 0.2 版本后得到 crash isRtl() null reference
文章推荐: kubernetes - 如果 Kubernetes pod 超过其 CPU 资源 'limit' 会发生什么?
文章推荐: kubernetes - 身份验证握手失败 : x509: certificate signed by unknown authority
文章推荐: docker - 如何根据 Kubernetes 插件上的构建队列扩展 Jenkins 从站
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com