问题
I installed Kubernetes's dashboard and now I am trying to log in.
It asks for Kubeconfig or Token, I chose to use Token.
I created a new service:kubectl create serviceaccount myservice
master@osboxes:~$ kubectl get serviceaccount myservice -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-05-27T13:09:16Z
name: myservice
namespace: default
resourceVersion: "76189"
selfLink: /api/v1/namespaces/default/serviceaccounts/myservice
uid: 2870f525-61af-11e8-9498-000c29b3c4e0
secrets:
- name: myservice-token-p2rrt
I exported the service account's token:
master@osboxes:~$ kubectl get secret myservice-token-p2rrt -o yaml | grep token
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbTE1YzJWeWRtbGpaUzEwYjJ0bGJpMXdNbkp5ZENJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKdGVYTmxjblpwWTJVaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lJeU9EY3daalV5TlMwMk1XRm1MVEV4WlRndE9UUTVPQzB3TURCak1qbGlNMk0wWlRBaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZaR1ZtWVhWc2REcHRlWE5sY25acFkyVWlmUS5IdkFoTDU1a0NTOXFPME5hUXVIV3NTbU5WcnlHdUZfUUJyZXRZRi1VcXNrOTFUTTlfWUx6SktsOWQxRGh6Unpzclhac2FtTF9SNE04dUVjU2g4c0lwNHV6Ul9QdDdTQ0hRQ3JiWi1KeFJwOEhDUENlcUZXMkJ0WTl5NlJ3bDBuZlRMY0l2N1Y5SDZFc1BsSy1zTmMxVTlhcFgxMmNKQ0hoOXpjLVI3RXdlZl80OGtoaHJubGkxZTB4dExXTnFaMTJCaTdZalZGZEU3OTVIZXJOYjR5XzNRMzFIcURlcERCVF9FS01Db0NZYk82MV9jM0t3eDRrMkx5R3ZqSWRFamUxNG9HQnlUSkt2QmRWMVRNb0pnNjdvWG1PbHkwV0VZUGVRaTVnNmw5dEhsRTVLZ3NlZHowV1BCel9ZUUxKMzBQYXBxUTktenhVVVpuX0UySS1vV2cyYmc=
name: myservice-token-p2rrt
selfLink: /api/v1/namespaces/default/secrets/myservice-token-p2rrt
type: kubernetes.io/service-account-token
Decoded it from base64:
master@osboxes:~$ echo "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbTE1YzJWeWRtbGpaUzEwYjJ0bGJpMXdNbkp5ZENJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKdGVYTmxjblpwWTJVaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lJeU9EY3daalV5TlMwMk1XRm1MVEV4WlRndE9UUTVPQzB3TURCak1qbGlNMk0wWlRBaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZaR1ZtWVhWc2REcHRlWE5sY25acFkyVWlmUS5IdkFoTDU1a0NTOXFPME5hUXVIV3NTbU5WcnlHdUZfUUJyZXRZRi1VcXNrOTFUTTlfWUx6SktsOWQxRGh6Unpzclhac2FtTF9SNE04dUVjU2g4c0lwNHV6Ul9QdDdTQ0hRQ3JiWi1KeFJwOEhDUENlcUZXMkJ0WTl5NlJ3bDBuZlRMY0l2N1Y5SDZFc1BsSy1zTmMxVTlhcFgxMmNKQ0hoOXpjLVI3RXdlZl80OGtoaHJubGkxZTB4dExXTnFaMTJCaTdZalZGZEU3OTVIZXJOYjR5XzNRMzFIcURlcERCVF9FS01Db0NZYk82MV9jM0t3eDRrMkx5R3ZqSWRFamUxNG9HQnlUSkt2QmRWMVRNb0pnNjdvWG1PbHkwV0VZUGVRaTVnNmw5dEhsRTVLZ3NlZHowV1BCel9ZUUxKMzBQYXBxUTktenhVVVpuX0UySS1vV2cyYmc=" | base64 -d
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bg
But when I entered the decoded token it failed:
EDIT:
Here are the logs after I attached the Pod and tried to sign in:
2018/05/27 15:58:47 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.244.0.0:58976: {}
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Outcoming response to 10.244.0.0:58976 with 200 status code
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.244.0.0:58976: {
"kubeConfig": "",
"password": "",
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bgmaster@osboxes",
"username": ""
}
2018/05/27 15:58:57 Non-critical error occurred during resource retrieval: the server has asked for the client to provide credentials
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Outcoming response to 10.244.0.0:58976 with 200 status code
回答1:
OK, reading the logs I can see that the token used has an error at the end:
master@osboxes
I guess that you copied the shell username by mistake.
The correct token should be just:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bg
来源:https://stackoverflow.com/questions/50553233/how-to-log-in-to-kubernetes-dashboard-ui-with-service-accounts-token