diff --git a/docs/guide/dashboard.1.6.3.md b/docs/guide/dashboard.1.6.3.md index 85f6559..6682c45 100644 --- a/docs/guide/dashboard.1.6.3.md +++ b/docs/guide/dashboard.1.6.3.md @@ -42,7 +42,7 @@ kubectl logs kubernetes-dashboard-86bd8778bf-w4974 -n kube-system + 启用 `TLS认证` `RBAC授权`等安全特性 + 关闭 apiserver非安全端口8080的外部访问`--insecure-bind-address=127.0.0.1` + 关闭匿名认证`--anonymous-auth=false` -+ 补充启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户 ++ 补充启用基本密码认证 `--token-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户 #### 1. 临时访问:使用 `http://NodeIP:NodePort` 方式直接访问 dashboard,生产环境建议关闭该途径 diff --git a/docs/guide/dashboard.md b/docs/guide/dashboard.md index 0d5a380..6143567 100644 --- a/docs/guide/dashboard.md +++ b/docs/guide/dashboard.md @@ -50,7 +50,7 @@ kubectl logs kubernetes-dashboard-7c74685c48-9qdpn -n kube-system + 启用 `TLS认证` `RBAC授权`等安全特性 + 关闭 apiserver非安全端口8080的外部访问`--insecure-bind-address=127.0.0.1` + 关闭匿名认证`--anonymous-auth=false` -+ 可选启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户;kubeasz 1.0.0 版本以后默认关闭 basic-auth,可以在 roles/kube-master/defaults/main.yml 选择开启 ++ 可选启用基本密码认证 `--token-auth-file=/etc/kubernetes/ssl/basic-auth.csv`,[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式,可以定义多个用户;kubeasz 1.0.0 版本以后默认关闭 basic-auth,可以在 roles/kube-master/defaults/main.yml 选择开启 新版 dashboard可以有多层访问控制,首先与旧版一样可以使用apiserver 方式登录控制: diff --git a/docs/setup/04-install_kube_master.md b/docs/setup/04-install_kube_master.md index d7a5265..d92f38a 100644 --- a/docs/setup/04-install_kube_master.md +++ b/docs/setup/04-install_kube_master.md @@ -97,7 +97,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --kubelet-client-certificate={{ ca_dir }}/admin.pem \ --kubelet-client-key={{ ca_dir }}/admin-key.pem \ --anonymous-auth=false \ - --basic-auth-file={{ ca_dir }}/basic-auth.csv \ + --token-auth-file={{ ca_dir }}/basic-auth.csv \ --service-cluster-ip-range={{ SERVICE_CIDR }} \ --service-node-port-range={{ NODE_PORT_RANGE }} \ --tls-cert-file={{ ca_dir }}/kubernetes.pem \ diff --git a/roles/kube-master/defaults/main.yml b/roles/kube-master/defaults/main.yml index 8c55541..e35ef4a 100644 --- a/roles/kube-master/defaults/main.yml +++ b/roles/kube-master/defaults/main.yml @@ -11,6 +11,11 @@ MASTER_CERT_HOSTS: #- "www.test.com" # apiserver 基础认证(用户名/密码)配置,详见 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’ +# the first three values can be anything; +# These tokens are arbitrary but should represent at least 128 bits of entropy derived from +# a secure random number generator, for example: +# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' +# 例子: 02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:bootstrappers" # 是否启用基础认证 yes/no BASIC_AUTH_ENABLE: 'no' # 用户名: diff --git a/roles/kube-master/tasks/main.yml b/roles/kube-master/tasks/main.yml index a0a5ad7..9248c37 100644 --- a/roles/kube-master/tasks/main.yml +++ b/roles/kube-master/tasks/main.yml @@ -32,7 +32,7 @@ - block: - name: 生成 basic-auth 随机密码 - shell: 'PWD=`date +%s%N|md5sum|head -c16`; \ + shell: 'PWD=`head -c 16 /dev/urandom | od -An -t x | tr -d ' '`; \ sed -i "s/_pwd_/$PWD/g" {{ base_dir }}/roles/kube-master/defaults/main.yml; \ echo $PWD;' connection: local diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2 index fa7cfee..1e8cfff 100644 --- a/roles/kube-master/templates/kube-apiserver.service.j2 +++ b/roles/kube-master/templates/kube-apiserver.service.j2 @@ -10,7 +10,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --anonymous-auth=false \ --authorization-mode=Node,RBAC \ {% if BASIC_AUTH_ENABLE == "yes" %} - --basic-auth-file={{ ca_dir }}/basic-auth.csv \ + --token-auth-file={{ ca_dir }}/basic-auth.csv \ {% endif %} --bind-address={{ inventory_hostname }} \ --client-ca-file={{ ca_dir }}/ca.pem \