|NO.Z.00233|——————————|^^ 失败 ^^|——|KuberNetes&细粒度权限控制.V17|——|RBAC.v00|dashboard|

一、RBAC：查看k8s官方的dashboard

### --- k8s官方的dashboard

[root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard
service/kubernetes-dashboard        NodePort    10.103.77.223   <none>        443:31196/TCP   41h
NAME                                             READY   STATUS    RESTARTS   AGE
pod/kubernetes-dashboard-6b8bd587c8-gtwwr        1/1     Running   16         17h

二、没有配置ingress，直接使用NodePort通过IP的形式去访问

### --- 没有配置ingress，直接使用NodePort通过IP的形式去访问
~~~     启动的是31196模式

[root@k8s-master01 ~]# kubectl edit svc kubernetes-dashboard -n !$
  type: NodePort
[root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard
NAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
service/kubernetes-dashboard        NodePort    10.103.77.223   <none>        443:31196/TCP   41h 

可以通过https://192.168.1.20:31196/访问dashboard

三、更改dashboard的认证方式

### --- 在kube-apiserver下添加参数

[root@k8s-master01 ~]# vim /usr/lib/systemd/system/kube-apiserver.service
      --feature-gates=EphemeralContainers=true \                    // 此行下添加参数
      --basic-auth-file=/etc/kubernetes/basic_auth_file \           // 添加此参数
      --requestheader-extra-headers-prefix=X-Remote-Extra-  \       // 此行上添加参数

[root@k8s-master01 RBAC+Dashboard]# vim /etc/kubernetes/basic_auth_file
 
xxx1_2019,xxx1,3,"system:authentication"
xxx2_2019,xxx2,4,"system:authentication"
xxx3_2019,xxx3,5,"system:authentication"
xxx4_2019,xxx4,6,"system:authentication" 
 
 --basic-auth-file=/etc/kubernetes/pki/basic_auth_file

---

附录一：

### --- 参考文档：https://www.cnblogs.com/dukuan/p/11976406.html

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-pod-delete-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-delete
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-pod-exec-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-resource-readonly-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-resource-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1

附录二：

### --- 使用ClusterRole创建通用权限，
~~~     使用roleBinding绑定到指定namespace下的User或者是指定的ServiceAccount上。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: java1
  name: ratel-pod-exec-sa-java1
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
- kind: ServiceAccount
  name: java1
  namespace: kube-users

---

 

 

 

 

 

 

 

 

 

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart

                                                                                                                                                   ——W.S.Landor

---