2

我有一个具有以下拓扑的 Kubernetes 集群设置

我已经在集群上部署了 Kubernetes Dashboard,并且能够使用 kubectl 代理访问仪表板。

但是当我尝试使用 URL 通过浮动 IP/VIP 访问仪表板时:

https://<FloatingIP>:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

我最终在浏览器上得到以下响应

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

我确实明白这个问题是因为 Kubernetes 上的 RBAC 引起的,并且围绕这个主题做了一些阅读,但我仍然不清楚在主集群实现上需要做什么来解决这个问题。我能够在单个主服务器上成功公开仪表板 - 使用 NodePort 访问的多节点设置,但是集群主设置会失败。

我也愿意接受有关在此拓扑中实施 Dashboard 的更好建议。

如果您需要任何其他信息,请告诉我

4

1 回答 1

14

您将需要创建一个 clusterrole 来授予 kubernetes-dashboard 的权限并将其绑定到 system:anonymous 用户,如下所示。

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

编辑: 要应用这些更改,请将其保存到 .yaml(例如:clusterrole.yaml)文件中并运行

kubectl apply -f clusterrole.yaml
于 2019-09-07T01:24:07.693 回答