kubernetes创建一个dashboard只读权限的用户(具有exec权限)

Posted nbw1028

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了kubernetes创建一个dashboard只读权限的用户(具有exec权限)相关的知识,希望对你有一定的参考价值。

1.下面我们来手动创建一个对cluster级别的资源也有只读权限的用户

kubectl create  sa dashboard-real-readonly  -n  kube-system

2.创建一个叫作​cluster-readonly​的clusterrole

cat cluster-readonly-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-readonly
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

3.创建一个叫作​cluster-readonly​的clusterrolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: cluster-readonly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-readonly
subjects:
- kind: ServiceAccount
  name: dashboard-readonly
  namespace: kube-system

4.通过kubectl get secret -n=kube-system把所有的secret都列出来,然后找到具体的那一个)查看​dashboard-readonly​用户的secret,里面包含token,我们把token复制到dashboard登陆界面登陆

kubectl describe secret -n=kube-system dashboard-readonly-token-随机字符串

kubernetes创建一个dashboard只读权限的用户(具有exec权限)_rbac

5.登录dashboard验证

kubernetes创建一个dashboard只读权限的用户(具有exec权限)_rbac_02

kubernetes创建一个dashboard只读权限的用户(具有exec权限)_rbac_03

删除pod或者其他资源时,提示如下:

kubernetes创建一个dashboard只读权限的用户(具有exec权限)_rbac_04

验证完成。

以上是关于kubernetes创建一个dashboard只读权限的用户(具有exec权限)的主要内容,如果未能解决你的问题,请参考以下文章

Docker&Kubernetes ❀ Kubernetes集群 - DashBoard服务(Web管理)安装部署

kubernetes 1.14安装部署dashboard

安装kubernetes-dashboard

kuberneters dashboard认证及分级授权

Kubernetes之部署Dashboard UI

Kubernetes之部署Dashboard UI