爲Kubernetes dashboard訪問用戶添加權限控制
爲Kubernetes dashboard訪問用戶添加權限控制
[TOC]mysql
1. 需求
在開發環境給開發人員建立應用部署管理權限,能夠使用dashboard的token和kubeconfig文件登陸,並在開發人員機器上安裝kubectl命令,能夠使用kubectl port-forward命令。git
2. 方案
由於咱們用到了dashboard和kubeapps,因此他們的rbac權限都要分配。
建立namespace:dev
建立ServiceAccount:dev-user1
給相應權限,並綁定ServiceAccount。 github
3. 實現
3.1 分配dashboard權限
kubectl apply -f dev-user1.yamlsql
--- # ServiceAccount apiVersion: v1 kind: ServiceAccount metadata: name: dev-user1 namespace: dev --- # role kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: dev name: role-dev-user1 rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "delete", "update", "patch"] - apiGroups: [""] resources: ["pods/portforward", "pods/proxy"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list", "watch", "delete"] - apiGroups: ["extensions", "apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["events"] verbs: ["get", "watch", "list"] - apiGroups: ["apps", "extensions"] resources: ["replicasets"] verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["daemonsets"] verbs: ["get", "watch", "list"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["get", "watch", "list"] - apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["replicationcontrollers"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch", "list"] --- # role bind kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: role-bind-dev-user1 namespace: dev subjects: - kind: ServiceAccount name: dev-user1 namespace: dev roleRef: kind: Role name: role-dev-user1 apiGroup: rbac.authorization.k8s.io #--- ## clusterrole #kind: ClusterRole #apiVersion: rbac.authorization.k8s.io/v1 #metadata: # namespace: dev # name: clusterrole-dev-user1 #rules: #- apiGroups: [""] # resources: ["namespaces"] # verbs: ["get", "watch", "list"] # #--- ## clusterrole bind #kind: ClusterRoleBinding #apiVersion: rbac.authorization.k8s.io/v1 #metadata: # name: clusterrole-bind-dev-user1 # namespace: dev #subjects: #- kind: ServiceAccount # name: dev-user1 # namespace: dev #roleRef: # kind: ClusterRole # name: clusterrole-dev-user1 # apiGroup: rbac.authorization.k8s.io
3.2 分配kubeapps權限
kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml kubectl create -n dev rolebinding dev-user1-view \ --clusterrole=kubeapps-applications-read \ --serviceaccount dev:dev-user1
export KUBEAPPS_NAMESPACE=kubeapps kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml kubectl create -n dev rolebinding dev-user1-edit \ --clusterrole=edit \ --serviceaccount dev:dev-user1 kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \ --role=kubeapps-repositories-read \ --serviceaccount dev:dev-user1
token獲取:shell
kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
3.3 生成kubeconfig
經過token方式訪問kube-apiserverjson
# 建立 kubectl config 文件 # 設置集羣參數 kubectl config set-cluster kubernetes \ --insecure-skip-tls-verify=true \ --server="https://192.168.105.99:8443" # 設置客戶端認證參數 kubectl config set-credentials dev-user1 \ --token='上文中獲取到的token' # 設置上下文參數 kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=dev-user1 \ --namespace=dev # 設置默認上下文 kubectl config use-context kubernetes
注意
配置kubeconfig時指定路徑,以避免覆蓋已有配置,--kubeconfig=configpathwindows
也能夠直接建立文件config,修改內容便可。api
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://192.168.105.99:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: dev
user: dev-user1
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-user1
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v
4. 測試驗證
windows kubectl命令安裝 bash
命令下載:
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exeapp
而後將其放至系統PATH目錄下,好比c:\Windows
命令使用時,可以使用cmd、powershell或者其它命令提示行工具。推薦使用Git Bash,由於安裝過Git,則安裝了此工具。
kubeconfig文件
kubeconfig文件,即上文件中生成的config文件。
文件名爲config,文件放到 ~/.kube/下(~爲用戶家目錄),由於kubectl命令默認讀取此文件,不然每次使用kubectl命令,須要用參數--kubeconfig=configpath指定。
kubectl get pod -n dev kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev
參考資料:
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/
[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md
[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl
相關文章
- 1. SQLServer控制用戶訪問權限表
- 2. kubernetes實戰篇之Dashboard的訪問權限限制
- 3. 爲Mysql添加遠程訪問權限
- 4. 如何爲ContentProvider添加訪問權限
- 5. 訪問權限控制
- 6. 1.訪問權限控制
- 7. mongodb 訪問權限控制
- 8. Java訪問權限控制
- 9. Kibana訪問權限控制
- 10. Java 訪問控制權限
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • MySQL刪除用戶權限(REVOKE) - MySQL教程
- • Docker容器實戰(六) - 容器的隔離與限制
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. SQLServer控制用戶訪問權限表
- 2. kubernetes實戰篇之Dashboard的訪問權限限制
- 3. 爲Mysql添加遠程訪問權限
- 4. 如何爲ContentProvider添加訪問權限
- 5. 訪問權限控制
- 6. 1.訪問權限控制
- 7. mongodb 訪問權限控制
- 8. Java訪問權限控制
- 9. Kibana訪問權限控制
- 10. Java 訪問控制權限