Kubernetes 1.8ã®ã¢ã¯ã»ã¹å¶å¾¡ã«ã¤ãã¦ããã¨Dashboardã
Tue, Oct 31, 2017
Kubernetes dockerTable of Contents
ãKubernetes1.8ã®ã¯ã©ã¹ã¿ãæ§ç¯ãããkubeadmã§ããã§ãDashboardããã¾ãåããªãåé¡ãçºçãããã ãã©ãããã解決ãã話ã
åé¡ã®ç¾è±¡
kubeadmã§Kubernetesã¯ã©ã¹ã¿ãçµãã§ãèªåã®ã¢ããª(Goslings)ã®ãããã¤ã¾ã§ã¯ãã¾ãã§ãããã ãã©ãDashboardããããã¤ãããåãããWeb UIã«kubectl proxy
çµç±ã§ã¤ãªãã§ãã¿ã¤ã ã¢ã¦ããã¦ãã¾ã£ãã
対ç
ãªãã¨ãªããã¯ã©ã¹ã¿å
é¨ã§ã®åå解決ã«ã¯kube-dnsã«ããDNSãµã¼ãã¹ã使ããã¦ããã£ã½ãã®ã§ã/etc/hosts
ã«ä½è¨ãªäºæ¸ããã®ããããªãã£ãã¨æã£ãã
ã®ã§ã/etc/hosts
ããk8s-masterã¨k8s-nodeã®ã¨ã³ããªãåé¤ãã¦ãããkubeadm init
ããããç´ãã¦ã¿ãã
çµæ
ãããã¡ããã¨åããã
VMã®ãã¹ãã§kubectl proxy
ãã¦ã
C:\Users\kaitoy\Desktop>kubectl proxy
Starting to serve on 127.0.0.1:8001
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
ã«ãã©ã¦ã¶ã§ã¤ãªãã ããµã¤ã³ã¤ã³ç»é¢ã表示ãããã
Dashboardã®ãµã¤ã³ã¤ã³å¦çã¯Kubernetes(ã¨ãããkube-apiserver)ã®ããã«ç§»è²ãã¦ããã Dashboardã¯ããã§èªè¨¼ãããã¦ã¼ã¶ã§ã¯ã©ã¹ã¿ã®ãªã½ã¼ã¹ã«ã¢ã¯ã»ã¹ããæ å ±ãåå¾ãã¦è¡¨ç¤ºãããå¤åã
Dashboardã¸ã®ãµã¤ã³ã¤ã³æ¹æ³ã¯ããã¤ãããããããããç解ããã«ã¯Kubernetesã®ã¢ã¯ã»ã¹å¶å¾¡ã«ã¤ãã¦å¦ã¶ãã¨ãæ¨å¥¨ã¨ãã£ãã®ã§ã¡ãã£ã¨Kubernetesã®ããã¥ã¡ã³ããèªãã ã
Kubernetesã®ã¢ã¯ã»ã¹å¶å¾¡
Kubernetesã¯ã©ã¹ã¿ã®ã¨ã³ããã¤ã³ãã¯kube-apiserverã§ãããã¯ã©ã¹ã¿ã®ãªã½ã¼ã¹ã¸ã®ã¢ã¯ã»ã¹å¶å¾¡ãkube-apiserverãããã ã¯ã©ã¤ã¢ã³ãã¨kube-apiserverã¨ã®TLSã»ãã·ã§ã³ã確ç«ããå¾ãHTTP層ã®ãã¼ã¿ãè¦ã¦ã¢ã¯ã»ã¹å¶å¾¡ããããã ãã©ããã®å¦çã¯Authentication(èªè¨¼)ãAuthorization(èªå¯)ãAdmission(許å¯)ã®ä¸æ®µéãããªãã
Authentication
第ä¸æ®µéãAuthenticationã ããã§ã¯ãkube-apiserverã«ä»è¾¼ã¾ããAuthenticatorã¢ã¸ã¥ã¼ã«ãã¦ã¼ã¶èªè¨¼ãããã
Kubernetesãèªè¨¼ããã¦ã¼ã¶ã«ã¯ãKubernetesã管çããService Accountã¨ãã¯ã©ã¹ã¿å¤é¨ã§ç®¡çãããé常ã¦ã¼ã¶ã®äºéããããã Service Accountã¯Podãkube-apiserverã¨è©±ãããã®ã¦ã¼ã¶ã§ãé常ã¦ã¼ã¶ã¯ä¸»ã«äººãkubectlã¨ãã§kube-apiserverã¨è©±ãããã®ã¦ã¼ã¶ã(å¿åã§è©±ããã¨ãã§ããã) åè ã¯ServiceAccountãªãã¸ã§ã¯ãã§å®ç¾©ããããã©ãå¾è ç¨ã®ãªãã¸ã§ã¯ãã¯ãªãã
ServiceAccountã¯Namespaceã¨é¢é£ä»ã(ã¤ã¾ãnamespaceæ¯ã«ã¦ãã¼ã¯)ãSecretã«ç´ã¥ãã Secretãªãã¸ã§ã¯ãã¯ã¯ã¬ãã³ã·ã£ã«ã®ã»ãããå®ç¾©ããPodã«ãã¦ã³ããããã ServiceAccountã¨Secretã¯ããµã¤ãã¯èªåã§ä½ãããPodã«å²ãå½ã¦ãããã
kube-apiserverã«ã¯ä¸ã¤ä»¥ä¸ã®Authenticatorã¢ã¸ã¥ã¼ã«ãè¨å®ã§ãã¦ãã©ããã§èªè¨¼ã§ããã°æ¬¡ã®æ®µéã«é²ããã èªè¨¼å¤±æããã¨HTTPã¹ãã¼ã¿ã¹ã³ã¼ã401ãè¿ãã
Authenticatorã¢ã¸ã¥ã¼ã«ã«ã¯ä»¥ä¸ã®ãããªãã®ãããã
- ã¯ã©ã¤ã¢ã³ã証ææ¸: X.509ã®ãã£ã¸ã¿ã«è¨¼ææ¸ã使ãã¢ã¸ã¥ã¼ã«ãkube-apiserverèµ·åæã«
--client-ca-file
ãªãã·ã§ã³ã§è¨¼ææ¸ãã¡ã¤ã«ã渡ãã¦ããã¨æå¹ã«ãªãã証ææ¸ã®Common Nameãã¦ã¼ã¶åã«ãªããOrganizationãã°ã«ã¼ãã«ãªããã¯ã©ã¤ã¢ã³ãå´ã¯ããã®è¨¼ææ¸ã¨å¯¾å¿ããç§å¯éµãã¯ã¬ãã³ã·ã£ã«ã¨ãã¦æå®ããã - Bearer Token: ç¡è¨åãã¼ã¯ã³ã使ãã¢ã¸ã¥ã¼ã«ãkube-apiserverèµ·åæã«
--token-auth-file
ãªãã·ã§ã³ã§ãã¼ã¯ã³æ å ±ã渡ãã¦ããã¨æå¹ã«ãªãããã¼ã¯ã³æ å ±ã¯CSVã§ããtoken,user,uid,"group1,group2,group3"
ãã¨ããå½¢å¼ã§æ¸ããã¯ã©ã¤ã¢ã³ãå´ã¯ããã¼ã¯ã³æååãã¯ã¬ãã³ã·ã£ã«ã¨ãã¦æå®ããã - ãã¼ã·ãã¯èªè¨¼: ã¦ã¼ã¶åã¨ãã¹ã¯ã¼ãã§èªè¨¼ããã¢ã¸ã¥ã¼ã«ãkube-apiserverèµ·åæã«
--basic-auth-file
ãªãã·ã§ã³ã§ã¦ã¼ã¶åã¨ãã¹ã¯ã¼ãã®ãªã¹ãã渡ãã¦ããã¨æå¹ã«ãªãããã®ãªã¹ãã¯CSVã§ããpassword,user,uid,"group1,group2,group3"
ãã¨ããå½¢å¼ã§æ¸ããã¯ã©ã¤ã¢ã³ãå´ã¯ãã¦ã¼ã¶åã¨ãã¹ã¯ã¼ããã¯ã¬ãã³ã·ã£ã«ã¨ãã¦æå®ãããHTTPã¯ã©ã¤ã¢ã³ãã®æã¯Authorizationãããã使ããã - Service Account Token: Service Accountãç½²åä»ãBearer Tokenã§èªè¨¼ããã¢ã¸ã¥ã¼ã«ãããã©ã«ãã§æå¹ã«ãªãã
ãã®ããããQiitaã®ãkubernetesããµãã¼ãããèªè¨¼æ¹æ³ã®å ¨ãã¿ã¼ã³ãåãããã¨ããè¨äºãã¿ãã¨ç解ãæ·±ã¾ãã
Authorization
Authenticationããã¹ããã¨ãã¯ã©ã¤ã¢ã³ãã®ã¦ã¼ã¶(ã¨ã°ã«ã¼ã)ãèªè¨¼ããã第äºæ®µéã®Authorizationã¢ã¸ã¥ã¼ã«ã®å¦çã«ç§»ãã ããã§ã¯ããªã¯ã¨ã¹ãã®å 容(æä½å¯¾è±¡ãæä½ç¨®å¥(ã¡ã½ãã)ç)ãè¦ã¦ããããã¦ã¼ã¶ã«è¨±ããããã®ãªãèªå¯ããã ä½ã許ããã¯äºåã«ã¯ã©ã¹ã¿ã«ããªã·ã¼ãå®ç¾©ãã¦ããã
kube-apiserverèµ·åæã«--authorization-mode
ãªãã·ã§ã³ã§ä¸ã¤ä»¥ä¸ã®Authenticatorã¢ã¸ã¥ã¼ã«ãæå®ã§ãã¦ãã©ããã§èªå¯ãããã°æ¬¡ã®æ®µéã«é²ããã
ãããªãã°HTTPã¹ãã¼ã¿ã¹ã³ã¼ã403ãè¿ãã
Authorizationã¢ã¸ã¥ã¼ã«ã«ã¯ä»¥ä¸ã®ãããªãã®ãããã
- Node: kubeletããã®ãªã¯ã¨ã¹ããèªå¯ããã
- ABAC Mode: Attribute-based Access Controlããªã¯ã¨ã¹ãã«å«ã¾ããå±æ§ã¨Policyãªãã¸ã§ã¯ããæ¯è¼ãã¦ãããããããã®ãããã°èªå¯ã
- RBAC Mode: Role-Based Access ControlãRoleãªãã¸ã§ã¯ããClusterRoleãªãã¸ã§ã¯ãã§ãã¼ã«ãä½æããã¢ã¯ã»ã¹ã§ãããªã½ã¼ã¹ã許å¯ããæä½ãå®ç¾©ãã¦ãRoleBindingãªãã¸ã§ã¯ããClusterRoleBindingãªãã¸ã§ã¯ãã§ã¦ã¼ã¶åãã°ã«ã¼ãã¨ç´ã¥ããã
- Webhook Mode: ãªã¯ã¨ã¹ãã®å 容ã示ãSubjectAccessReviewãªãã¸ã§ã¯ããã·ãªã¢ã©ã¤ãºããJSONãã¼ã¿ãHTTPã§POSTãã¦ããã®ã¬ã¹ãã³ã¹ã«ãã£ã¦èªå¯å¯å¦ã決ããã
Admission Control
Authorizationããã¹ããã¨ã第ä¸æ®µéã®Admission Controlã¢ã¸ã¥ã¼ã«ã®å¦çã«ç§»ãã ããã§ã¯ããªãã¸ã§ã¯ãã®ä½æãåé¤ãæ´æ°ãªã©ã®ãªã¯ã¨ã¹ããã¤ã³ã¿ã¼ã»ãããã¦ããªãã¸ã§ã¯ãã®æ°¸ç¶ååã«ãã®ãªãã¸ã§ã¯ãã確èªãã¦ãæ°¸ç¶åã許å¯ãããã決ããã ãªã¯ã¨ã¹ãããããªãã¸ã§ã¯ããããã«é¢é£ãããªãã¸ã§ã¯ããæ°¸ç¶ååã«ããã£ã¦ãããã©ã«ãå¤ãè¨å®ããããã§ããã èªã¿åããªã¯ã¨ã¹ãã®å ´åã¯å®è¡ãããªãã
kube-apiserverèµ·åæã«--admission-control
ãªãã·ã§ã³ã§è¤æ°ã®Admission Controlã¢ã¸ã¥ã¼ã«ãæå®ã§ãã¦ãå
¨ã¦ã許å¯ããªãã¨ãªã¯ã¨ã¹ããå´ä¸ãããã
Admission Controlã¢ã¸ã¥ã¼ã«ã¯è²ã
ãããã ãã©ãKubernetes 1.6以éã§ã¯--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
ã¨æå®ããã®ãå¼·ãæ¨å¥¨ããã¦ããã
ããã§æå®ãã¦ããServiceAccountã¢ã¸ã¥ã¼ã«ã¯ãkube-controller-managerã«å«ã¾ããServiceAccountControllerã¨TokenControllerã¨å調ããService Accountå¨ãã®å¦çãèªååãã¦ããããã®ã
ServiceAccountControllerã¯ãåNamespaceã«default
ã¨ããååã®Service Accountãä½ãã
ServiceAccountãä½æãããã¨TokenControllerãåãã対å¿ããSecretã¨ãã¼ã¯ã³ãçæãã¦ç´ã¥ããã
ServiceAccountã¢ã¸ã¥ã¼ã«ã¯ãPodã®ä½æãæ´æ°æã«åãã以ä¸ã®å¦çãããã
- Podã«ServiceAccountãè¨å®ããã¦ããªããã°ã
default
ãè¨å®ããã - Podã«è¨å®ãããServiceAccountãåå¨ãã¦ãããã¨ã確èªããåå¨ãã¦ããªããã°ãªã¯ã¨ã¹ããå´ä¸ããã
- PodãImagePullSecretsãå«ãã§ããªããã°ãServiceAccountã®ImagePullSecretsãPodã«è¿½å ããã
- ãã¼ã¯ã³ãå«ãã VolumeãPodã«è¿½å ããã
- Podå
ã®åã³ã³ããã®
/var/run/secrets/kubernetes.io/serviceaccount
ã«ãã®Volumeããã¦ã³ããããã
Dashboardã¸Bearer Tokenã§ãµã¤ã³ã¤ã³
Dashboardã®è©±ã«æ»ãã ã¨ããããBearer Tokenã§ã®ãµã¤ã³ã¤ã³ã試ãã
ã¯ã©ã¹ã¿ã«ã¯ããã©ã«ãã§è²ããªService Accountãä½ããã¦ãã¦ãç°ãªã権éãæã£ã¦ããã ãã®ããããã®Secretã®Tokenã使ã£ã¦Dashboardã¸ãµã¤ã³ã¤ã³ã§ãããããã
以ä¸ã®ã³ãã³ãã§kube-system
ã¨ããNamespaceã®Secretãä¸è¦§ã§ããã
C:\Users\kaitoy>kubectl -n kube-system get secret
NAME TYPE DATA AGE
attachdetach-controller-token-skzmj kubernetes.io/service-account-token 3 18m
bootstrap-signer-token-mhqfh kubernetes.io/service-account-token 3 18m
bootstrap-token-2964e0 bootstrap.kubernetes.io/token 7 18m
certificate-controller-token-fvrgm kubernetes.io/service-account-token 3 18m
cronjob-controller-token-hmrdm kubernetes.io/service-account-token 3 18m
daemon-set-controller-token-vqz85 kubernetes.io/service-account-token 3 18m
default-token-h987g kubernetes.io/service-account-token 3 18m
deployment-controller-token-86bp9 kubernetes.io/service-account-token 3 18m
disruption-controller-token-6mskg kubernetes.io/service-account-token 3 18m
endpoint-controller-token-d4wz6 kubernetes.io/service-account-token 3 18m
generic-garbage-collector-token-smfgq kubernetes.io/service-account-token 3 18m
horizontal-pod-autoscaler-token-wsbn9 kubernetes.io/service-account-token 3 18m
job-controller-token-fttt2 kubernetes.io/service-account-token 3 18m
kube-dns-token-sn5qq kubernetes.io/service-account-token 3 18m
kube-proxy-token-w96xd kubernetes.io/service-account-token 3 18m
kubernetes-dashboard-certs Opaque 2 7m
kubernetes-dashboard-key-holder Opaque 2 6m
kubernetes-dashboard-token-gtppc kubernetes.io/service-account-token 3 7m
namespace-controller-token-5kksd kubernetes.io/service-account-token 3 18m
node-controller-token-chpwt kubernetes.io/service-account-token 3 18m
persistent-volume-binder-token-d5x49 kubernetes.io/service-account-token 3 18m
pod-garbage-collector-token-l8sct kubernetes.io/service-account-token 3 18m
replicaset-controller-token-njjwr kubernetes.io/service-account-token 3 18m
replication-controller-token-qrr5h kubernetes.io/service-account-token 3 18m
resourcequota-controller-token-dznjm kubernetes.io/service-account-token 3 18m
service-account-controller-token-99nh8 kubernetes.io/service-account-token 3 18m
service-controller-token-9cw7k kubernetes.io/service-account-token 3 18m
statefulset-controller-token-8z8w9 kubernetes.io/service-account-token 3 18m
token-cleaner-token-cxbkc kubernetes.io/service-account-token 3 18m
ttl-controller-token-k7gh7 kubernetes.io/service-account-token 3 18m
weave-net-token-lqdgm kubernetes.io/service-account-token 3 17m
ã§ãé©å½ã«ããã£ã½ãSecretãdeployment-controller-token-86bp9
ãé¸ãã§ãkubectl describe
ãããTokenãè¦ããã
(Dataã»ã¯ã·ã§ã³ã®token
ã®ã¨ãã)
C:\Users\kaitoy>kubectl -n kube-system describe secret deployment-controller-token-86bp9
Name: deployment-controller-token-86bp9
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=deployment-controller
kubernetes.io/service-account.uid=17fc5207-b627-11e7-9867-000c2938deae
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tODZicDkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTdmYzUyMDctYjYyNy0xMWU3LTk4NjctMDAwYzI5MzhkZWFlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.ZGV9XDd-GQjAwRuLKpdsWL_dTeF0Mr_2gF117OW4BhEuLwPujnsfOuysAQ-DUtNOp1NHKGitlfxjh6fKo4tFsdwLVJWrRK6i4YH1Mm2No7Sheks7IQn1FnwSmr7yCuvjlHD2e4RpZH0wupOFoY7FHntilhOWbXTJzJzi7TozLX02EKbkVGAsvch3LZ6p8jmUH5hr8DdKc4jbmTRp86SOiFS4_-TJ3RtAHCxiioAuKzXm3-rAWdeGLLcKrM2pAFSAGaBNu8MO5BZlAi6h3Xt4x-8-1ZXs4mudtJiECvjB-XIwiwzhpq8wIPZvvQQ-f1khixOyk1RfIXRJhIE5Gqvi8g
ãµã¤ã³ã¤ã³ç»é¢ã§Tokenãé¸æãã
ãã®ãeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tODZicDkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTdmYzUyMDctYjYyNy0xMWU3LTk4NjctMDAwYzI5MzhkZWFlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.ZGV9XDd-GQjAwRuLKpdsWL_dTeF0Mr_2gF117OW4BhEuLwPujnsfOuysAQ-DUtNOp1NHKGitlfxjh6fKo4tFsdwLVJWrRK6i4YH1Mm2No7Sheks7IQn1FnwSmr7yCuvjlHD2e4RpZH0wupOFoY7FHntilhOWbXTJzJzi7TozLX02EKbkVGAsvch3LZ6p8jmUH5hr8DdKc4jbmTRp86SOiFS4_-TJ3RtAHCxiioAuKzXm3-rAWdeGLLcKrM2pAFSAGaBNu8MO5BZlAi6h3Xt4x-8-1ZXs4mudtJiECvjB-XIwiwzhpq8wIPZvvQQ-f1khixOyk1RfIXRJhIE5Gqvi8g
ãå
¥åããããµã¤ã³ã¤ã³ã§ãã¦ãGoslingsã®Deploymentã®æ
å ±ãè¦ããã
Podãè¦ããã
ãã©Serviceã¯è¦ããªãã
åç»é¢ã§ãªã¬ã³ã¸è²ã®ã¯ã¼ãã³ã°ãåºã¦ãã¦ãdeployment-controller
ã¦ã¼ã¶ã§è¦ããç¯å²ã¯ãã¾ãåºããªããã¨ãåããã
Dashboardã¸Admin権éã§ãµã¤ã³ã¤ã³
Dashboardã®Podã®Service Accountã§ããkubernetes-dashboard
ã«Admin権éãä»ãã¦ãã£ã¦ããµã¤ã³ã¤ã³ç»é¢ã§SKIPãæ¼ãã¨ãªãã§ãè¦ããããã«ãªããã»ãã¥ãªãã£ãªã¹ã¯ãããã®ã§æ¬çªã§ã¯NGè¨å®ã ãã©ã
cluster-admin
ã¨ããClusterRoleããã£ã¦ããããkubernetes-dashboard
ã«ãã¤ã³ãããClusterRoleBindingãä½ã£ã¦ããã°ããã
ã®ã§ã以ä¸ã®ãããªYAMLãã¡ã¤ã«ãæ¸ãã¦ã
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
kubectl
ã§æããã
C:\Users\kaitoy\Desktop>kubectl create -f dashboard-admin.yml
clusterrolebinding "kubernetes-dashboard" created
ãããServiceãè¦ããããã«ãªã£ãã
ã¤ãã§ã«HWãªã½ã¼ã¹æ å ±ãè¦ããã
æºè¶³ããã