kubernetes daahboard权限限制

dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。
1:创建对应权限的ClusterRole(这里主要值允许pods被删除)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: dashboard
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list", "create","proxy","update"]
- apiGroups: ["*"]
  resources: ["pods"]
  verbs: ["delete"]

 

注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式


2:创建 ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard
  namespace: kube-system

 

3:将ClusterRole和ServiceAccount互相绑定

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: dashboard-extended
subjects:
  - kind: ServiceAccount
    name: dashboard
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: dashboard
  #name: cluster-admin #默认cluster-admin代表开放全部权限
  apiGroup: rbac.authorization.k8s.io

 

4:deployment加入ServiceAccount权限
spec.template.spec.serviceAccountName:dashboard

5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限

apiVersion: v1
kind: ServiceAccount
metadata:
  name: heapster
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: heapster-extended
subjects:
  - kind: ServiceAccount
    namespace: kube-system
    name: heapster
roleRef:
  kind: ClusterRole
  name: system:heapster
  apiGroup: rbac.authorization.k8s.io

 

posted @ 2017-10-18 13:33  深空灰  阅读(1041)  评论(0编辑  收藏  举报