kubernetes實戰篇之建立一個只讀權限的用戶
系列目錄html
上一節咱們講解到了如何限制用戶訪問dashboard的權限,這節咱們講解一個案例:如何建立一個只讀權限的用戶.node
雖然能夠根據實際狀況靈活建立各類權限用戶,可是實際生產環境中每每只須要兩個就好了一個是前面建立的擁有集羣全部權限的用戶,另外一個是一個擁有隻讀權限的普通用戶.把只讀權限分配給開發人員,使得開發人員也能夠很清楚地看到本身的項目運行的情況.bootstrap
在進行本章節以前,你們能夠思考一下怎麼用前面的知識來實現,你們可能都有思路,可是要真正的實現起來也不是一簡很是容易的事,可能須要進行多輪修改和測試.實際上,kubernetes裏有一個默認的叫做view的clusterrole,它其實就是一個有隻讀權限的的角色.咱們來看一下這個角色centos
[centos@k8s-master ~]$ kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
[centos@k8s-master ~]$
能夠看到,它對擁有的漿糊的訪問權限都是get list和和watch,也就是都是不能夠進行寫操做的權限.這樣咱們就能夠像最初把用戶綁定到cluster-admin同樣,新建立一個用戶,綁定到默認的view role上.api
kubectl create sa dashboard-readonly -n kube-system kubectl create clusterrolebinding dashboard-readonly --clusterrole=view --serviceaccount=kube-system:dashboard-readonly
經過以上命令咱們建立了一個叫做dashboard-readonly的用戶,而後把它綁定到view這個role上.咱們能夠經過kubectl describe secret -n=kube-system dashboard-readonly-token-隨機字符串(能夠經過kubectl get secret -n=kube-system把全部的secret都列出來,而後找到具體的那一個)查看dashboard-readonly用戶的secret,裏面包含token,咱們把token複製到dashboard登錄界面登錄.bash
咱們隨便進到一個deployment裏面,能夠看到,左上角仍然有scale,edit和delete這些權限,其實不用擔憂,你若是嘗試edit和scale的時候,雖然沒有提示,可是操做是不成功的,若是你點擊了delete,則會出現一個錯誤提示,以下圖,提示dashboard-readonly用戶沒有刪除的權限app
手動建立一個具備真正意義上的只讀權限用戶
之前咱們經過把用戶綁定到view這個角色上建立了一個具備只讀權限的用戶,可是實際上你會發現,這個用戶並非一個徹底意義上的只讀權限用戶,它是沒有cluster級別的一些權限的,好比Nodes,persistent volumes等權限,好比咱們點擊左側的Nodes標籤,就會出現如下提示:測試
下面咱們來手動建立一個對cluster級別的資源也有隻讀權限的用戶spa
首先,咱們先建立一個名叫做.net
kubectl create sa dashboard-real-readonly -n kube-system
下面咱們來建立一個叫做dashboard-viewonly的clusterrole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dashboard-viewonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - nodes - persistentvolumeclaims - persistentvolumes verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - roles - rolebindings verbs: - get - list - watch
而後把它綁定到dashboard-real-readonly ServiceAccount上
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dashboard-viewonly
subjects:
- kind: ServiceAccount
name: dashboard-real-readonly
namespace: kube-system
後面就是獲取這個用戶的token進行登錄了,咱們已經有屢次講到過,本章節前面部分也有,你們能夠參照一下,這裏就再也不贅述了.
- 1. linux 建立一個只讀用戶
- 2. kubernetes實戰篇之Dashboard的訪問權限限制
- 3. 建立只讀用戶
- 4. mysql只讀用戶建立
- 5. 如何建立只讀權限oracle帳戶
- 6. Oracle:如何創建一個只有查看權限的用戶
- 7. mysql 禁止root用戶遠程登陸,建立一個只讀權限用戶進行遠程登陸
- 8. Linux 建立用戶、賦予用戶權限、修改文件夾權限、修改只讀文件
- 9. mysql 建立一個用戶並賦權限出現的問題
- 10. MySQL建立一個具備root權限的用戶
- 更多相關文章...
- • MySQL刪除用戶權限(REVOKE) - MySQL教程
- • MySQL用戶授權(GRANT) - MySQL教程
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
- • Docker容器實戰(六) - 容器的隔離與限制
-
每一个你不满意的现在,都有一个你没有努力的曾经。