From 3c1c348544e6c2378b09adc139e55e60753bef59 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Thu, 4 Apr 2019 09:08:27 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0dashboard=E5=85=B3=E4=BA=8Eba?= =?UTF-8?q?sic-auth=E8=AE=A4=E8=AF=81=E7=9A=84=E7=9B=B8=E5=85=B3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/guide/dashboard.md | 9 +++++---- roles/cilium/tasks/main.yml | 2 +- roles/kube-master/tasks/main.yml | 5 +++++ 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/guide/dashboard.md b/docs/guide/dashboard.md index e199356..ab226fb 100644 --- a/docs/guide/dashboard.md +++ b/docs/guide/dashboard.md @@ -1,6 +1,6 @@ ## dashboard -本文档基于 dashboard 1.10.0版本,k8s版本 1.11.x。因 dashboard 1.7 以后默认开启了自带的登陆验证机制,因此不同版本登陆有差异: +本文档基于 dashboard 1.10.1版本,k8s版本 1.13.x。因 dashboard 1.7 以后默认开启了自带的登陆验证机制,因此不同版本登陆有差异: - 旧版(<= 1.6)建议通过apiserver访问,直接通过apiserver 认证授权机制去控制 dashboard权限,详见[旧版文档](dashboard.1.6.3.md) - 新版(>= 1.7)可以使用自带的登陆界面,使用不同Service Account Tokens 去控制访问 dashboard的权限 @@ -50,12 +50,13 @@ kubectl logs kubernetes-dashboard-7c74685c48-9qdpn -n kube-system + 启用 `TLS认证` `RBAC授权`等安全特性 + 关闭 apiserver非安全端口8080的外部访问`--insecure-bind-address=127.0.0.1` + 关闭匿名认证`--anonymous-auth=false` -+ 补充启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户 ++ 可选启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户;kubeasz 1.0.0 版本以后默认关闭 basic-auth,可以在 roles/kube-master/defaults/main.yml 选择开启 新版 dashboard可以有多层访问控制,首先与旧版一样可以使用apiserver 方式登陆控制: -+ 第一步通过api-server本身安全认证流程,与之前[1.6.3版本](dashboard.1.6.3.md)相同,这里不再赘述 -+ 第二步通过dashboard自带的登陆流程,使用`Kubeconfig` `Token`等方式登陆 +- 第一步通过api-server本身安全认证流程,与之前[1.6.3版本](dashboard.1.6.3.md)相同,这里不再赘述 + - 如果需要通过(用户名/密码)认证,kubeasz 1.0.0以后需要修改`roles/kube-master/defaults/main.yml`启用basic-auth,然后重启 master 生效: `ansible-playbook 04.kube-master.yml -t restart_master` +- 第二步通过dashboard自带的登陆流程,使用`Kubeconfig` `Token`等方式登陆 **注意:** 如果集群已启用 ingress tls的话,可以[配置ingress规则访问dashboard](ingress-tls.md#%E9%85%8D%E7%BD%AE-dashboard-ingress) diff --git a/roles/cilium/tasks/main.yml b/roles/cilium/tasks/main.yml index efb49a0..6f9d916 100644 --- a/roles/cilium/tasks/main.yml +++ b/roles/cilium/tasks/main.yml @@ -15,7 +15,7 @@ - name: 检查内核版本>4.9 fail: msg="kernel {{ ansible_kernel }} is too old for cilium installing" - when: "KERNEL_VER <= 4.09" + when: "KERNEL_VER|float <= 4.09" - name: 检查是否已下载离线cilium镜像 command: "ls {{ base_dir }}/down" diff --git a/roles/kube-master/tasks/main.yml b/roles/kube-master/tasks/main.yml index 1d1ff6b..6d42edf 100644 --- a/roles/kube-master/tasks/main.yml +++ b/roles/kube-master/tasks/main.yml @@ -49,14 +49,17 @@ connection: local register: TMP_PASS run_once: true + tags: restart_master - name: 设置 basic-auth 随机密码 set_fact: BASIC_AUTH_PASS="{{ TMP_PASS.stdout }}" + tags: restart_master when: 'BASIC_AUTH_ENABLE == "yes" and BASIC_AUTH_PASS == "_pwd_"' - name: 创建 basic-auth.csv template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv when: 'BASIC_AUTH_ENABLE == "yes"' + tags: restart_master # 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件 - name: 获取 k8s 版本信息 @@ -106,9 +109,11 @@ when: 'BASIC_AUTH_ENABLE == "yes"' delegate_to: "{{ groups.deploy[0] }}" run_once: true + tags: restart_master - name: 创建{{ BASIC_AUTH_USER }}用户rbac权限 shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/admin-user-binding.yaml" when: 'BASIC_AUTH_ENABLE == "yes"' delegate_to: "{{ groups.deploy[0] }}" run_once: true + tags: restart_master