diff --git a/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc b/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc index 16a8d22f..c9218f16 100644 --- a/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc +++ b/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc @@ -20,7 +20,10 @@ Heapster is limited to Kuberenetes container metrics, it is not general use. Hea In order to perform exercises in this chapter, you’ll need to deploy configurations to a Kubernetes cluster. To create an EKS-based Kubernetes cluster, use the link:../../01-path-basics/102-your-first-cluster#create-a-kubernetes-cluster-with-eks[AWS CLI] (recommended). If you wish to create a Kubernetes cluster without EKS, you can instead use link:../../01-path-basics/102-your-first-cluster#alternative-create-a-kubernetes-cluster-with-kops[kops]. -All configuration files for this chapter are in the link:templates[201-cluster-monitoring/templates] directory. +All configuration files for this chapter are in the link:templates[201-cluster-monitoring/templates] directory.Please be sure to cd into that directory before running the commands below. + + $ cd ~/environment/aws-workshop-for-kubernetes/02-path-working-with-clusters/201-cluster-monitoring/templates + == Kubernetes Dashboard @@ -57,66 +60,54 @@ Where `ENVIRONMENT_ID` is your Cloud9 IDE environment id (you should see it once Starting with Kubernetes 1.7, Dashboard supports authentication. Read more about it at https://github.com/kubernetes/dashboard/wiki/Access-control#introduction. We'll use a bearer token for authentication. -Check existing secrets in the `kube-system` namespace: - - kubectl -n kube-system get secret - -It shows the output as: - - NAME TYPE DATA AGE - attachdetach-controller-token-dhkcr kubernetes.io/service-account-token 3 3h - certificate-controller-token-p131b kubernetes.io/service-account-token 3 3h - daemon-set-controller-token-r4mmp kubernetes.io/service-account-token 3 3h - default-token-7vh0x kubernetes.io/service-account-token 3 3h - deployment-controller-token-jlzkj kubernetes.io/service-account-token 3 3h - disruption-controller-token-qrx2v kubernetes.io/service-account-token 3 3h - dns-controller-token-v49b6 kubernetes.io/service-account-token 3 3h - endpoint-controller-token-hgkbm kubernetes.io/service-account-token 3 3h - generic-garbage-collector-token-34fvc kubernetes.io/service-account-token 3 3h - horizontal-pod-autoscaler-token-lhbkf kubernetes.io/service-account-token 3 3h - job-controller-token-c2s8j kubernetes.io/service-account-token 3 3h - kube-dns-autoscaler-token-s3svx kubernetes.io/service-account-token 3 3h - kube-dns-token-92xzb kubernetes.io/service-account-token 3 3h - kube-proxy-token-0ww14 kubernetes.io/service-account-token 3 3h - kubernetes-dashboard-certs Opaque 2 9m - kubernetes-dashboard-key-holder Opaque 2 9m - kubernetes-dashboard-token-vt0fd kubernetes.io/service-account-token 3 10m - namespace-controller-token-423gh kubernetes.io/service-account-token 3 3h - node-controller-token-r6lsr kubernetes.io/service-account-token 3 3h - persistent-volume-binder-token-xv30g kubernetes.io/service-account-token 3 3h - pod-garbage-collector-token-fwmv4 kubernetes.io/service-account-token 3 3h - replicaset-controller-token-0cg8r kubernetes.io/service-account-token 3 3h - replication-controller-token-3fwxd kubernetes.io/service-account-token 3 3h - resourcequota-controller-token-6rl9f kubernetes.io/service-account-token 3 3h - route-controller-token-9brzb kubernetes.io/service-account-token 3 3h - service-account-controller-token-bqlsk kubernetes.io/service-account-token 3 3h - service-controller-token-1qlg6 kubernetes.io/service-account-token 3 3h - statefulset-controller-token-kmgzg kubernetes.io/service-account-token 3 3h - ttl-controller-token-vbnhf kubernetes.io/service-account-token 3 3h - -We can login using the secret with type 'kubernetes.io/namespace-controller-token'. In our case, we'll use the token from secret `namespace-controller-token-423gh` to login. Use the following command to get the token for this secret: - - kubectl -n kube-system describe secret namespace-controller-token-423gh - -Note you'll need to replace `namespace-controller-token-423gh` with the namespace-controller-token from your output list. - -It shows the output: - -``` -Name: namespace-controller-token-423gh -Namespace: kube-system -Labels: -Annotations: kubernetes.io/service-account.name=default - kubernetes.io/service-account.uid=3a3fea86-b3a1-11e7-9d90-06b1e747c654 - -Type: kubernetes.io/service-account-token - -Data -==== -ca.crt: 1046 bytes -namespace: 11 bytes -token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTd2aDB4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzYTNmZWE4Ni1iM2ExLTExZTctOWQ5MC0wNmIxZTc0N2M2NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.GHW-7rJcxmvujkClrN6heOi_RYlRivzwb4ScZZgGyaCR9tu2V0Z8PE5UR6E_3Vi9iBCjuO6L6MLP641bKoHB635T0BZymJpSeMPQ7t1F02BsnXAbyDFfal9NUSV7HoPAhlgURZWQrnWojNlVIFLqhAPO-5T493SYT56OwNPBhApWwSBBGdeF8EvAHGtDFBW1EMRWRt25dSffeyaBBes5PoJ4SPq4BprSCLXPdt-StPIB-FyMx1M-zarfqkKf7EJKetL478uWRGyGNNhSfRC-1p6qrRpbgCdf3geCLzDtbDT2SBmLv1KRjwMbW3EF4jlmkM4ZWyacKIUljEnG0oltjA -``` +By default, the Kubernetes dashboard user has limited permissions. Let's create an eks-admin service account and cluster role binding using the following configuration files. You can use the eks-admin service account to securely connect to the dashboard with admin-level permissions. + + $ cat eks-admin-service-account.yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: eks-admin + namespace: kube-system + + $ cat eks-admin-cluster-role-binding.yaml + apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: eks-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: ServiceAccount + name: eks-admin + namespace: kube-system + +Run the following commands to apply the service account and cluster role binding to your cluster: + + $ kubectl apply -f eks-admin-service-account.yaml + serviceaccount "eks-admin" created + + $ kubectl apply -f eks-admin-cluster-role-binding.yaml + clusterrolebinding.rbac.authorization.k8s.io "eks-admin" created + +Retrieve an authentication token for the eks-admin service account using the following command: + + $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') + +Output: + + Name: eks-admin-token-9kxfc + Namespace: kube-system + Labels: + Annotations: kubernetes.io/service-account.name=eks-admin + kubernetes.io/service-account.uid=198c691f-a997-11e8-8074-0ab2efd9c23a + Type: kubernetes.io/service-account-token + Data + ==== + token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJla3MtYWRtaW4tdG9rZW4tOWt4ZmMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZWtzLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTk4YzY5MWYtYTk5Ny0xMWU4LTgwNzQtMGFiMmVmZDljMjNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmVrcy1hZG1pbiJ9.mKcJ0RFAG8GvZA71ZskAv_xs9pW5Cq64A1S1pVx7-GFZb_Dbhee_nYjLagY3MrbTjsEcTNV1xe_RUevmcQDikS6UMEXoIN-bOHu5Moj5rgNW2yhfHuXZOtRmRfESTBzqCQQi3MPC_LP6jTagPnbBDW15W_3AbTwZRa3Fhs4YCUoxUbcrTYUd6kfB47JbLDwXl-8ai1hxgTreDeFKkQKu7E5WAMv4GeL1TYVgiVrUC2872NzQ-RSLee1WP-x_r50zJA5b9qXQvlkf0zrDRh6xO_Z3YXOH5KfWQUYCUpJqySedZE4w9F6rkBUCf2QivqhvXTQF9btsHIyeqSJ3SR3qHA + ca.crt: 1025 bytes + namespace: 11 bytes Copy the value of token from this output, select `Token` in the Dashboard login window, and paste the text. Click on `SIGN IN` to see the default Dashboard view: diff --git a/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-cluster-role-binding.yaml b/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-cluster-role-binding.yaml new file mode 100644 index 00000000..03e5bde7 --- /dev/null +++ b/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: eks-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: eks-admin + namespace: kube-system diff --git a/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-service-account.yaml b/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-service-account.yaml new file mode 100644 index 00000000..abec8a1e --- /dev/null +++ b/02-path-working-with-clusters/201-cluster-monitoring/templates/eks-admin-service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: eks-admin + namespace: kube-system