我一直在努力解决 Kubernetes 仪表板设置中的身份验证问题。虽然 OAuth2 代理成功通过 Azure AD 进行身份验证并设置了正确的 cookie (_oauth2_proxy),但仪表板始终拒绝授权。
/k8s-dashboardapiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
labels:
app: kubernetes-dashboard
automountServiceAccountToken: true
---
apiVersion: v1
kind: Secret
metadata:
name: dashboard-admin-token
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: dashboard-admin
labels:
app: kubernetes-dashboard
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
labels:
app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
repo: https://kubernetes.github.io/dashboard/
chart: kubernetes-dashboard
version: 7.10.0
targetNamespace: kubernetes-dashboard
valuesContent: |-
app:
labels:
app: kubernetes-dashboard
ingress:
enabled: true
ingressClassName: nginx
path: /k8s-dashboard
hosts:
- my-cluster.region.cloudapp.azure.com
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: true
nginx.ingress.kubernetes.io/ssl-redirect: true
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: Authorization,X-Auth-Request-User,X-Auth-Request-Email
issuer:
name: letsencrypt-prod
scope: cluster
tls:
enabled: true
secretName: tls-dashboard
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: oauth2-proxy
namespace: kubernetes-dashboard
spec:
repo: https://oauth2-proxy.github.io/manifests
chart: oauth2-proxy
version: 7.7.28
targetNamespace: kubernetes-dashboard
valuesContent: |-
ingress:
enabled: true
className: nginx
path: /oauth2
hosts:
- my-cluster.region.cloudapp.azure.com
tls:
- secretName: tls-oauth-dashboard
hosts:
- my-cluster.region.cloudapp.azure.com
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
config:
clientID: "your-client-id"
clientSecret: "your-client-secret"
cookieSecret: "your-cookie-secret"
configFile: |
provider = "azure"
email_domains = ["*"]
azure_tenant = "your-tenant-id"
oidc_issuer_url = "https://login.microsoftonline.com/your-tenant-id/v2.0"
validate_url = "https://graph.microsoft.com/v1.0/me"
# Upstream configuration
upstreams = ["file:///dev/null"]
# Cookie settings
cookie_secure = true
cookie_domains = ["my-cluster.region.cloudapp.azure.com"]
# Azure AD specific settings
scope = "openid email profile"
# Request handling
skip_provider_button = true
set_authorization_header = true
set_xauthrequest = true
# SSL/TLS settings
ssl_insecure_skip_verify = true
ssl_upstream_insecure_skip_verify = true
# Auth endpoints
whitelist_domains = ["my-cluster.region.cloudapp.azure.com"]
redirect_url = "https://my-cluster.region.cloudapp.azure.com/oauth2/callback"
skip_auth_routes = ["/oauth2/callback$"]
_oauth2_proxy/me{
"ErrStatus": {
"metadata": {},
"status": "Failure",
"message": "MSG_LOGIN_UNAUTHORIZED_ERROR",
"reason": "Unauthorized",
"code": 401
}
}
kubectl -n kubernetes-dashboard create token dashboard-admin有谁知道为什么会发生这种情况?
任何帮助或指导将不胜感激!
为了让我的工作正常工作,我必须确保将
upnvalues.yamlKubernetes 仪表板
app:
ingress:
enabled: true
ingressClassName: nginx
path: /k8s-dashboard
hosts:
- kubernetes-dashboard-test.cookes.io
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: Authorization,X-Auth-Request-User,X-Auth-Request-Email
settings:
global:
clusterName: kube-test
itemsPerPage: 50
labelsLimit: 10
auth:
scaling:
replicas: 1
api:
scaling:
replicas: 1
web:
scaling:
replicas: 1
metricsScraper:
scaling:
replicas: 1
metrics-server:
enabled: true
oauth2-代理
config:
clientID: <azure client id>
clientSecret: <azure client secret
cookieSecret: <some random data>
cookieName: oauth2-proxy
configFile: |-
provider = "azure"
email_domains = [ "*" ]
azure_tenant = <azure tenant id>
upstreams = [ "file:///dev/null" ]
cookie_secure = true
cookie_domains = ["kubernetes-dashboard-test.cookes.io"]
scope = "openid email profile"
#skip_provider_button = true
set_authorization_header = true
set_xauthrequest = true
ssl_upstream_insecure_skip_verify = true
whitelist_domains = [ "*." ]
skip_auth_routes = ["/oauth2/callback$"]
pass_access_token = true
pass_authorization_header = true
ingress:
enabled: true
className: nginx
hosts:
- kubernetes-dashboard-test.cookes.io
extraArgs:
- --provider-display-name=Azure
- --oidc-issuer-url=https://login.microsoftonline.com/426bbc16-09cf-4a19-80c2-d5b19c6c4b72/v2.0
- --ssl-insecure-skip-verify=true
- --pass-access-token=true