Kubernetes1.13.1 dashboard分权限控制

一.建立kubernetes dashboard的查询权限token

1.rbac-zxy.yaml的内容如下

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-zxy
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get","watch","list" ]
- apiGroups: ["storage.k8s.io"]
  resources: ["*"]
  verbs: ["get","watch","list" ]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["*"]
  verbs: ["get","watch","list" ]
- apiGroups: ["batch"]
  resources: ["*"]
  verbs: ["get","watch","list" ]
- apiGroups: ["apps"]
  resources: ["*"]
  verbs: ["get","watch","list" ]
- apiGroups: ["extensions"]
  resources: ["*"]
  verbs: ["get","watch","list" ]
 
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-zxy
subjects:
- kind: ServiceAccount
  name: zxy
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: role-zxy
  apiGroup: rbac.authorization.k8s.io

下面这个语句的作用是让该用户可以进去容器组运行命令,为了不让普通用户有这个权限，我们不加

- apiGroups: [""]
  resources: [ "pods/exec"]
  verbs: ["create"]

2.生产token
kubectl create sa zxy -n kube-system
kubectl create -f rbac-zxy.yaml
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep zxy | awk '{print $1}')

[root@iZbp13ke7onfhiq7ycl4m0Z ~]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep zxy | awk '{print $1}')
Name:         zxy-token-xwrqk
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: zxy
              kubernetes.io/service-account.uid: f44468f7-147d-11e9-8505-00163e0d735c
Type:  kubernetes.io/service-account-token
Data
====
ca.crt:     1367 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ6eHktdG9rZW4teHdycWsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoienh5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjQ0NDY4ZjctMTQ3ZC0xMWU5LTg1MDUtMDAxNjNlMGQ3MzVjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnp4eSJ9.kaGX8mNOJ0snLk7Q4wcBeMo0AjrV1k91AHUvJ0PRDOukx5aT2FH5xbd4CdRL0O7VgMEmEc4J3-u7Jr03yQNkDWCb9rMWOXZFw5qIz7hl98JhEWB-ouIdJMPVsVKEFKjpayBaCdBUMlbPKh31QSeWS7dvZdxDAkUeF0OiNFeh91D7FlKe0DDxUMX-aOsoSRr1x6PJv9LEm7Fm5HWJyrSlTh6P4N6dxZhAf1wMxZGTFwr3XE0NOGS8to_p53qJOIIoGs5klxZ-CaU38NVmsNA02BedXELU3_1PySt9eKVwGDDilKuwwSyTvGgoktcC6TwQ71o_TAGQ-vpFWuB8VnpOAg

3.下面这个长字符串就是具有查询权限的登陆token

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ6eHktdG9rZW4teHdycWsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoienh5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjQ0NDY4ZjctMTQ3ZC0xMWU5LTg1MDUtMDAxNjNlMGQ3MzVjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnp4eSJ9.kaGX8mNOJ0snLk7Q4wcBeMo0AjrV1k91AHUvJ0PRDOukx5aT2FH5xbd4CdRL0O7VgMEmEc4J3-u7Jr03yQNkDWCb9rMWOXZFw5qIz7hl98JhEWB-ouIdJMPVsVKEFKjpayBaCdBUMlbPKh31QSeWS7dvZdxDAkUeF0OiNFeh91D7FlKe0DDxUMX-aOsoSRr1x6PJv9LEm7Fm5HWJyrSlTh6P4N6dxZhAf1wMxZGTFwr3XE0NOGS8to_p53qJOIIoGs5klxZ-CaU38NVmsNA02BedXELU3_1PySt9eKVwGDDilKuwwSyTvGgoktcC6TwQ71o_TAGQ-vpFWuB8VnpOAg

4.选择令牌，输入上面的token,点登陆

5.删除权限执行以下命令

kubectl delete -f rbac-zxy.yaml
kubectl delete sa zxy -n kube-system

6.如果不想输入token,生成证书，采用如下步骤生成

kubectl create sa zxy -n kube-system
kubectl create -f rbac-zxy.yaml
VIEW_SECRET=$(kubectl -n kube-system get secret | grep zxy | awk '{print $1}')

DASHBOARD_VIEW_TOKEN=$(kubectl describe secret -n kube-system ${VIEW_SECRET} | grep -E '^token' | awk '{print $2}')

echo ${DASHBOARD_VIEW_TOKEN}
export KUBE_APISERVER=https://10.46.228.139:6443

kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dashboard-view.kubeconfig

# 设置客户端认证参数，使用上面创建的 Token
kubectl config set-credentials dashboard_user \
--token=${DASHBOARD_VIEW_TOKEN} \
--kubeconfig=dashboard-view.kubeconfig

# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=dashboard_user \
--kubeconfig=dashboard-view.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=dashboard-view.kubeconfig

参考文档:http://blog.51cto.com/ylw6006/2113542

posted @ 2020-06-02 23:44 $world 阅读(248) 评论(0) 编辑收藏举报

刷新页面返回顶部

Kubernetes1.13.1 dashboard分权限控制

公告