為Kubernetesdashboard訪問用戶添加權(quán)限控制-創(chuàng)新互聯(lián)

為Kubernetes dashboard訪問用戶添加權(quán)限控制

[TOC]

十多年的密山網(wǎng)站建設(shè)經(jīng)驗(yàn)，針對(duì)設(shè)計(jì)、前端、開發(fā)、售后、文案、推廣等六對(duì)一服務(wù)，響應(yīng)快，48小時(shí)及時(shí)工作處理。成都全網(wǎng)營銷的優(yōu)勢(shì)是能夠根據(jù)用戶設(shè)備顯示端的尺寸不同，自動(dòng)調(diào)整密山建站的顯示方式，使網(wǎng)站能夠適用不同顯示終端，在瀏覽器中調(diào)整網(wǎng)站的寬度，無論在任何一種瀏覽器上瀏覽網(wǎng)站，都能展現(xiàn)優(yōu)雅布局與設(shè)計(jì)，從而大程度地提升瀏覽體驗(yàn)。創(chuàng)新互聯(lián)從事“密山網(wǎng)站設(shè)計(jì)”,“密山網(wǎng)站推廣”以來，每個(gè)客戶項(xiàng)目都認(rèn)真落實(shí)執(zhí)行。

1. 需求

在開發(fā)環(huán)境給開發(fā)人員創(chuàng)建應(yīng)用部署管理權(quán)限，可以使用dashboard的token和kubeconfig文件登錄，并在開發(fā)人員機(jī)器上安裝kubectl命令，可以使用kubectl port-forward命令。

2. 方案

因?yàn)槲覀冇玫搅薲ashboard和kubeapps，所以他們的rbac權(quán)限都要分配。
創(chuàng)建namespace：dev
創(chuàng)建ServiceAccount：dev-user1
給相應(yīng)權(quán)限，并綁定ServiceAccount。

3. 實(shí)現(xiàn)

3.1 分配dashboard權(quán)限

kubectl apply -f dev-user1.yaml

---
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user1
  namespace: dev

---
# role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: role-dev-user1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/portforward", "pods/proxy"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
  resources: ["replicasets"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "watch", "list"]

---
# role bind
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-dev-user1
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-user1
  namespace: dev
roleRef:
  kind: Role
  name: role-dev-user1
  apiGroup: rbac.authorization.k8s.io

#---
## clusterrole
#kind: ClusterRole
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  namespace: dev
#  name: clusterrole-dev-user1
#rules:
#- apiGroups: [""]
#  resources: ["namespaces"]
#  verbs: ["get", "watch", "list"]
#
#---
## clusterrole bind
#kind: ClusterRoleBinding
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  name: clusterrole-bind-dev-user1
#  namespace: dev
#subjects:
#- kind: ServiceAccount
#  name: dev-user1
#  namespace: dev
#roleRef:
#  kind: ClusterRole
#  name: clusterrole-dev-user1
#  apiGroup: rbac.authorization.k8s.io

3.2 分配kubeapps權(quán)限

kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml
kubectl create -n dev rolebinding dev-user1-view \
  --clusterrole=kubeapps-applications-read \
  --serviceaccount dev:dev-user1

export KUBEAPPS_NAMESPACE=kubeapps
kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml
kubectl create -n dev rolebinding dev-user1-edit \
  --clusterrole=edit \
  --serviceaccount dev:dev-user1
kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \
  --role=kubeapps-repositories-read \
  --serviceaccount dev:dev-user1

token獲?。?/p>

kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode

3.3 生成kubeconfig

通過token方式訪問kube-apiserver

# 創(chuàng)建 kubectl config 文件
# 設(shè)置集群參數(shù)
kubectl config set-cluster kubernetes \
  --insecure-skip-tls-verify=true \
  --server="https://192.168.105.99:8443"
# 設(shè)置客戶端認(rèn)證參數(shù)
kubectl config set-credentials dev-user1 \
  --token='上文中獲取到的token' 
# 設(shè)置上下文參數(shù)
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=dev-user1  \
  --namespace=dev 
# 設(shè)置默認(rèn)上下文
kubectl config use-context kubernetes

注意
配置kubeconfig時(shí)指定路徑，以免覆蓋已有配置，--kubeconfig=configpath

也可以直接創(chuàng)建文件config，修改內(nèi)容即可。

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://192.168.105.99:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: dev-user1
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-user1
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh3r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v

4. 測(cè)試驗(yàn)證

windows kubectl命令安裝

命令下載：
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe

然后將其放至系統(tǒng)PATH目錄下，比如c:\Windows
命令使用時(shí)，可使用cmd、powershell或者其它命令提示行工具。推薦使用Git Bash，因?yàn)榘惭b過Git，則安裝了此工具。

kubeconfig文件
kubeconfig文件，即上文件中生成的config文件。
文件名為config，文件放到 ~/.kube/下（~為用戶家目錄），因?yàn)閗ubectl命令默認(rèn)讀取此文件，否則每次使用kubectl命令，需要用參數(shù)--kubeconfig=configpath指定。

kubectl get pod -n dev
kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev

參考資料：
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/
[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md
[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì)，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。

名稱欄目：為Kubernetesdashboard訪問用戶添加權(quán)限控制-創(chuàng)新互聯(lián)
文章地址：http://www.muchs.cn/article34/dsjgse.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供品牌網(wǎng)站建設(shè)、定制開發(fā)、網(wǎng)站維護(hù)、網(wǎng)站營銷、網(wǎng)站設(shè)計(jì)、做網(wǎng)站

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源：創(chuàng)新互聯(lián)

猜你還喜歡下面的內(nèi)容