k8s-dashboard 安装及介绍
安装 dashboard UI
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
查看是否安装成功:
kubectl get svc,pod --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
...
kube-system service/kubernetes-dashboard ClusterIP 10.110.187.255 <none> 443/TCP 86m
NAMESPACE NAME READY STATUS RESTARTS AGE
...
kube-system pod/kubernetes-dashboard-57df4db6b-jjqhf 1/1 Running 8 86m
注:如果出现image pull错误,可以用私有仓库 先查看images:
cat kubernetes-dashboard.yaml | grep image
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
然后将"k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" 替换为 "mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1",用docker下载下来然后上传私有仓库,具体可参考(https://mp.weixin.qq.com/s/cV74onbtzTubrrhOl_Qi8w)。
| Argument name | Default value | Description |
|---|---|---|
| insecure-port | 9090 | The port to listen to for incoming HTTP requests. |
| port | 8443 | The secure port to listen to for incoming HTTPS requests. |
| insecure-bind-address | 127.0.0.1 | The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces). |
| bind-address | 0.0.0.0 | The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces). |
| default-cert-dir | /certs | Directory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. Relative to the container, not the host. |
| tls-cert-file | - | File containing the default x509 Certificate for HTTPS. |
| tls-key-file | - | File containing the default x509 private key matching --tls-cert-file. |
| apiserver-host | - | The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted. |
| api-log-level | DEFAULT | Set or disable API request logging.<br />DEFAULT sanitizes potentially sensitive URLS<br />DEBUG outputs all request output (even if sensitive)<br />NONE disables all request logging |
| heapster-host | - | The address of the Heapster to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used. |
| kubeconfig | - | Path to kubeconfig file with authorization and master location information. |
| token-ttl | 15 minutes | Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires. |
| authentication-mode | token | Enables authentication options that will be reflected on login screen. Supported values: token, basic. Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. |
| metric-client-check-period | 30 seconds | Time in seconds that defines how often configured metric client health check should be run. |
| auto-generate-certificates | false | When set to true, Dashboard will automatically generate certificates used to serve HTTPS. |
| enable-insecure-login | false | When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Still, it requires frontend to be accessed over HTTPS (i.e. secure nginx proxy). |
| system-banner | - | When non-empty displays message to Dashboard users. Accepts simple HTML tags. |
| system-banner-severity | INFO | Severity of system banner. Should be one of 'INFO,WARNING,ERROR'. |
| disable-settings-authorizer | false | When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page. |
| enable-skip-login | false | When enabled, the skip button on the login page will be shown. |
通过kube-proxy访问
kubectl proxy – 为Kubernetes API server启动代理服务器:
Options:
--accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$': Regular expression for hosts that the proxy should accept.
--accept-paths='^.*': Regular expression for paths that the proxy should accept.
--address='127.0.0.1': The IP address on which to serve on.
--api-prefix='/': Prefix to serve the proxied API under.
--disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
--keepalive=0s: keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable
keepalive.
-p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
--reject-methods='^$': Regular expression for HTTP methods that the proxy should reject (example
--reject-methods='POST,PUT,PATCH').
--reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject. Paths specified here will be rejected even accepted by --accept-paths.
-u, --unix-socket='': Unix socket on which to run the proxy.
-w, --www='': Also serve static files from the given directory under the specified prefix.
-P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.
Usage:
kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]
因为为了在不同服务器上可以访问到,因此要设置--accept-hosts和--address两个参数。
kubectl proxy --address='0.0.0.0' --port=8001 --accept-hosts='^localhost$,^192\.168\.1\.122$'
构建登陆访问权限
打开地址http://192.168.1.122:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/: 
可以在浏览器访问,官方提供了两种认证方式,一种是kubeconfig,一种是令牌token。
token令牌登陆
k8s各服务有自己的token:
kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-8kh8n kubernetes.io/service-account-token 3 21h
bootstrap-signer-token-htm5l kubernetes.io/service-account-token 3 21h
bootstrap-token-ngcxcv bootstrap.kubernetes.io/token 7 21h
calico-node-token-4wkts kubernetes.io/service-account-token 3 20h
certificate-controller-token-dzvlt kubernetes.io/service-account-token 3 21h
clusterrole-aggregation-controller-token-qpvfv kubernetes.io/service-account-token 3 21h
coredns-token-hdk66 kubernetes.io/service-account-token 3 21h
cronjob-controller-token-tmvgn kubernetes.io/service-account-token 3 21h
daemon-set-controller-token-wxfbl kubernetes.io/service-account-token 3 21h
default-token-67lzs kubernetes.io/service-account-token 3 21h
deployment-controller-token-ps2sn kubernetes.io/service-account-token 3 21h
disruption-controller-token-qhncp kubernetes.io/service-account-token 3 21h
endpoint-controller-token-mq29n kubernetes.io/service-account-token 3 21h
expand-controller-token-qv82t kubernetes.io/service-account-token 3 21h
generic-garbage-collector-token-4bklk kubernetes.io/service-account-token 3 21h
horizontal-pod-autoscaler-token-4nn7k kubernetes.io/service-account-token 3 21h
job-controller-token-hmjcx kubernetes.io/service-account-token 3 21h
kube-proxy-token-phvpr kubernetes.io/service-account-token 3 21h
kubernetes-dashboard-certs Opaque 0 143m
kubernetes-dashboard-csrf Opaque 1 143m
kubernetes-dashboard-key-holder Opaque 2 76m
kubernetes-dashboard-token-tpvvp kubernetes.io/service-account-token 3 143m
namespace-controller-token-9jm46 kubernetes.io/service-account-token 3 21h
node-controller-token-lvw87 kubernetes.io/service-account-token 3 21h
persistent-volume-binder-token-sn2zf kubernetes.io/service-account-token 3 21h
pod-garbage-collector-token-gmwb6 kubernetes.io/service-account-token 3 21h
pv-protection-controller-token-r566m kubernetes.io/service-account-token 3 21h
pvc-protection-controller-token-sh8x9 kubernetes.io/service-account-token 3 21h
replicaset-controller-token-bd724 kubernetes.io/service-account-token 3 21h
replication-controller-token-h7bt6 kubernetes.io/service-account-token 3 21h
resourcequota-controller-token-qrj5l kubernetes.io/service-account-token 3 21h
service-account-controller-token-5brbw kubernetes.io/service-account-token 3 21h
service-controller-token-ln82n kubernetes.io/service-account-token 3 21h
statefulset-controller-token-b9jlj kubernetes.io/service-account-token 3 21h
token-cleaner-token-9lzqb kubernetes.io/service-account-token 3 21h
ttl-controller-token-58rdc kubernetes.io/service-account-token 3 21h
我们通过kubectl describe secret可以看到具体服务的token:
kubectl describe secret deployment-controller-token-ps2sn -n kube-system
Name: deployment-controller-token-ps2sn
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: deployment-controller
kubernetes.io/service-account.uid: e3dff2a1-2095-11e9-b54b-5254003008ab
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tcHMyc24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTNkZmYyYTEtMjA5NS0xMWU5LWI1NGItNTI1NDAwMzAwOGFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.d_GQotLp38_5GOMCHy2sn9zvgTThnSo4cUN5PkRbKyLtT16zl1MtFadOogLc7iVllNgDGAzHHAbo73m35gi1j0H_o0A742wZq4gLS-06r4UPfhpU9IoGhYZusYOY-RvBkjm7PZbKhudxwStdP44HhwaqdoX2wMwZgT8mrVd74VEs988zPEaM-QAKYLhYgOEAlEFvXnFfzm2dRD9LtK7m1JrlmevmtONfucEPpJiVuAhYBYq31KZ6YOya0Py8tInd8S-9_pmBmNVCYE2MzyFLWJ5uJhmdefqNWwTgKaKHWOsczqDecnRaSuF97Qje7udwVeVjNTeCwUzOZAfPlHLe-Q
但每个服务的token都权限都不同,不一定符合我们的需求,因此我们需要建立自己的ClusterRole,并赋予权限。
创建user-shikanon.yaml文件:
apiVersion: v1
kind: ServiceAccount
metadata:
name: user-shikanon
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: user-shikanon
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: user-shikanon
namespace: kube-system
启动服务:
[root@master ~]# kubectl create -f user-shikanon.yaml
serviceaccount/user-shikanon created
clusterrolebinding.rbac.authorization.k8s.io/user-shikanon created
查看user-shikanon服务的token:
[root@master ~]# kubectl describe secret user-shikanon --namespace=kube-system
Name: user-shikanon-token-6t5rd
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: user-shikanon
kubernetes.io/service-account.uid: f290b948-2149-11e9-a469-5254003008ab
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ1c2VyLXNoaWthbm9uLXRva2VuLTZ0NXJkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXItc2hpa2Fub24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMjkwYjk0OC0yMTQ5LTExZTktYTQ2OS01MjU0MDAzMDA4YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06dXNlci1zaGlrYW5vbiJ9.Ap6MY85X38mVGXqEe7T8UW-RHNXWWJZ06eKKXMKutRJUKDNcfKKV0Y1o_CsWLfSNjqNjRCoTYs4x73vHwo6LkrXrzKoyh7VZytcMxpwV7FiLAMU0OFia179WROAIEpvZ1AsK94X2NM3zBS4I3pVNK_OLM4wuOBLcX9bkFscBRufs3SvgtA64t8_vq4udgoQdERdnK3EiPBgpZEjnGQIK_o-kgGKviXhS892r2QD9y_YlrFyY6Gu4xPRew_k2jPpFpZNyjYp3pKWw6DnGKBN39M7T5igLnSXJEQGp1mXgYrgWBL-IQeWtRTVcpBIeRFa5AoPMfPcv5x4AsWHK_rF1_A
kubeconfig登陆
在.kube/config找到kubeconfig文件,或者重新创建一个kubeconfig文件,在config文件末尾加上一个token字段即可:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ERXlOVEV4TXpneU1Wb1hEVEk1TURFeU1qRXhNemd5TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTERlCnVEYkNXSTVnMUhjaithdFVDdmlEK3dlM054VnVkV28rVWMvbWJFV3lyemM3WFp1RGdJZHNqNXRpV3hmMWNDVGYKeW9qU21OcC9ldmtUa2YxSGIzSmJOYjhFNG5oSE1TdzMwQkpNd1JxbTZaMVdQRnArNkRUdlZzT25CVnlDY1FRNwo0MEJWTnpyOTdXMTlkRi9JYXp4ODBqblRVT3NJNFczMXE3QkEvZ2E0anZVRnZQbnY3TVU5dm1XeCt4NWRJVmoyCjRDY1NzV0hBNVpiNm1RU050WlNtTWIxYnFZa0NHVGdPbWkrWDhDQzVaZmRtU1BmWmRUdlhOMlJVdzdmVXRZdlMKYTJuL3JwZFFzZ0s0NEthQXRHSmhta1dFci9hbkpVa1FlTEpMdjRpYVZXVnpHWEV0SkRqZkY1T0x6YVlvd2JpbApwT3hjMUIyTzk2TWV4NzljOHVVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHcC92MURIUlV1ODBiSjVKQy81eHRJVEVCelYKeVZZd1d2NUpsNDRkMFhVdlJqV2FOUXF5TUYwRVJYYXBjMWdSVjV1WitROWxUN3JPcVgvWlozNHFoSS9tdmhNRgpyRUh6NW9yK09waS9HNFYwK20xYysxOE9ya3h2ZHJjcFVYa1ArVW5kM09lV0VrUjNHREhxcU5YVHlEcWZybWR2Cmh2NTNwQ0F2NkFOKzRJUWJxd3RsWU5GZWhHN09IdEl4ZDdGSFJHcGZKTTFlUXJ3M09sYzhreDVkSkltS0tPYXgKZm9uVzBkOXdOTmVhVlVDMmh4cFFWVFlJbjBXamUxcGtVTEdUaTVqcjZZL2tBZ0hhU1BKNTR5TFhzbzhMTHBvVApGMEN0TnRWOG8zczQ2Z0ZvMW1uQUQxYXh1WjlnTTNUZTcrSkNnRVlhTlgxak1SMVFwWFpraysydGYzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.1.120:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVHB1b3ZjbElYdVV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBeE1qVXhNVE00TWpGYUZ3MHlNREF4TWpVeE1UTTRNakphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBPMlZMVDhENlIwVFMyRFoKb0tOZGlBcVJ3amVkWlo4Y29FdVBneTZpNlVReU9qQUt4OVZaeVJ6bWIyTWU1aFpHSXdLVGcyNW92YWw3ZWY4RApwc2FqYUhOa2NZSVd6S0Y0Yks0ZGtndlRudE5yUGxpazA5WFQxWTAwZUF0ZmpySjMrZWwzcEd1eGFPWENzZVQ3CjVLR0pINkdWWllpeGhMekF4bnpGd3lpdlFFcDVjVFl1RVhvZUZnOXBTekRhRFV5M2orUnBqRWhEdjdraVZpWGQKTE5yVGg0ZFB2ZWZhd21KTE8yYk9qUkI5MDB4dkpLMkF2NmtiV0M0U2wzQnF1SjhyVERoM21IeDQzOXVSNnpDZgpsNkYrbC9qRVBBRFJQQzVrTEJhUzVMT3JmcFlBM244MWNKYVRVeWROeGtIbDkzVTZiSnNQNXhPblBrOFpxUC9iClNhaWVrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJRVl0MjBQVDJnWm1UMmx3amYyYjIvdGc0OUJMNFJObTl4dgp1RkVmK3F1SklqcHJpMFV0TVJUZE5lV2ZiZTJvZWMrbm1SNk5CSGhUMnlhYVMrQjJ5SUZvOVVWckZENXdYVUsrCnVVN0NCRk55cHZRTzlHVXJYaGFYa1lKUkJNQ21XM2d6T1RqdXVFaGNMd0lHZGRWdlI4Wkh5M245Y084czAzU2sKUmtuMlZmL0hjQnRvbnRUWENGTXpidFA0UnZnYXlMN2c5NGpsN25OQ1hBVEU1K1h5OHZKcm5NSXhUbVQwTnVFNgpBVG43RG1Hb2V0Q2kySnJqZFpqcUR5N3FqbjhOZGQ1Qmh4OWkvWThyTXVWTC9GTWIrRVk4SzM3U2IxTmM1U21rCkNtUjNGakZZYjJUVDRZeHdtMWFPM0Rvd0lOWDVDdkd4aTNHS0F4QjJydGZQSUpLOEhydz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBME8yVkxUOEQ2UjBUUzJEWm9LTmRpQXFSd2plZFpaOGNvRXVQZ3k2aTZVUXlPakFLCng5Vlp5UnptYjJNZTVoWkdJd0tUZzI1b3ZhbDdlZjhEcHNhamFITmtjWUlXektGNGJLNGRrZ3ZUbnROclBsaWsKMDlYVDFZMDBlQXRmanJKMytlbDNwR3V4YU9YQ3NlVDc1S0dKSDZHVlpZaXhoTHpBeG56Rnd5aXZRRXA1Y1RZdQpFWG9lRmc5cFN6RGFEVXkzaitScGpFaER2N2tpVmlYZExOclRoNGRQdmVmYXdtSkxPMmJPalJCOTAweHZKSzJBCnY2a2JXQzRTbDNCcXVKOHJURGgzbUh4NDM5dVI2ekNmbDZGK2wvakVQQURSUEM1a0xCYVM1TE9yZnBZQTNuODEKY0phVFV5ZE54a0hsOTNVNmJKc1A1eE9uUGs4WnFQL2JTYWlla3dJREFRQUJBb0lCQURDdE9kVloyaXBreU1zRwpISTR0b2F3QmNtWkNtTnhGVHVFVjJiRGhtN2tuVjJCeE13SE45bVpCNG5wUEtMTEl1N3lLYkIzeUNsc3Q4b1BBCjQzUG0wY21USVBMRk1WU3B4aW5rQXlXMHRiQktaN0VWN0FraXg0RDRyaUhOM0l5ZGpoQmUwYTR3SFJ4b2M0MEkKNFpzcCs0MndFdU9lRG1YenFDSldqYWpqZ0xsRWRQUWtiM1RmQkx0amNOakdEclVKS1VLcmJLa3gzb2NlUmVNNgpRcG1oVUJSYk1LSGZzVWdLUEFkaDdtTTJYUDlGTG1rNmMyWlBWZWE2dld2eFpMd2kxSzJXZUpJblVicXYyYy9wCkFaQ0VUdmNKTEttSTFmMFRxeGY1WXlVK29FZXlJQUJta2RvMkhWMHcwUEF4OGw5V1U1T2dacVVQS1lPVHVlL2YKMWsva2ttRUNnWUVBNlJYYVE4Y1hjUTJIeDR1dE5abUJJbXlObDM5eVNGeG94bEJaNWgvY3VWdk1ncS9nbjFXRApWaVIwajJ0Uk41QzdPZzU0Mnh1dXNwR1RqWWxyRDhDM1YwN0ZpM0E3NTkxMUpOMzRsVnpPdHhLem94dk12RmFsCmV0bVNmUnBETUdIL08xN3NsTnowdi9DVDNUNENKbzA2Q3hpZHNKVW01UGc4NG5MSmI3eGl6M0VDZ1lFQTVYZkIKRGU0UVhJeTZEMXhQdWcvbjJGYklVaDErRElvdVNuWFRIRGtKejB5blViQ0UwdGZ1RC9qUmhmTHcwSUIyMjBmOAplRzA1a0RFS1I0TVoyVXFSdUpaZWUybUdLZis5eVFSaTRzbVNPT0x3ZDFkbjBBNlJKQUppR1ROUWhDQmF3UmpKCm9kckZVNUtmejR1QTZGcE8vS2w2M0h5N1RtelFOMUd0MTFoUGxFTUNnWUI4dmdjNzh0Y20xL2pzNEdIb3A2aW0KeGJYWmVJbXZGRlcybk5ZZ0JMbGFNamozVUMxRTJMMGJZeE5HbGthM0dDdzdXL2R1UEJoNDFOUkZFV0JNNC9TNwpNeHNpRHdUZ2lITGpNakNScjBPcVVzWDA2ekhkTWZvS0Qxc0l2UDlzYTJYdlhsUDdMMjJGTTduTzFCck9peEtmClVhTkRGKy9pNXIrZTZaUEl5dWVPNFFLQmdFVEFvTU0vdFA5RjJ1bUhTd3dBZ0FLOTNiOWN2c3ViQzB1Y0NlakcKM2oyU1JmK2YxK3drYmx1eXZYUlkyZlpleHoza1Q2ejFiTzNiQTYxeGhta29nb2kvNVFjdEV0bTZtbTZFTmV5bApZSDVTNEtHaE9xV0g5OHpHT2dZNjdjRG93TWhpV09kNTJPMjFYTlNlZzcwYWNkZ2FING00aFpaMTI5ejNTQkxoCmp0WnBBb0dBWEtRQjJBRk52cnRnWEg2MHFCRWJPaG9kZ2ZXRVA2QmtrNUpZSzY1U2o1ZFRaTmZlOG9JU3FKbFAKR0dlQnZMV1dVVUhScmMyUFpEcFpZTDJ4NGRvYndoWDJkYWJOWEFsQTFZczZJZmM2OG9oaWxpdm1PbktGRXBBMAo5RDJ6VXBqa0NzS3EybDFVSW9WczJSbTZ1dDJKcXB1WWs4SHJ3Z1BpYWtsclJtZ3FYbUU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
token: eyJhbGciOiJSUzI1NiIsIm
RBAC权限控制
Role 和 ClusterRole类型的权限控制
Role 只能用于授予对单个命名空间中的资源访问权限,在 RBAC API 中,Role 表示一组规则权限,权限只会增加(累加权限),不存在一个资源一开始就有很多权限而通过 RBAC 对其进行减少的操作。Role 可以定义在一个 namespace 中,如果想要跨 namespace 则可以创建 ClusterRole, ClusterRole 是集群级别的。
Role:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
ClusterRole:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
RoleBinding 和 ClusterRoleBinding 类型的权限控制
RoloBinding 可以将角色中定义的权限授予用户或用户组,RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users, groups, or service accounts);RoloBinding 同样包含对被 Bind 的 Role 引用;RoleBinding 适用于某个命名空间内授权,而 ClusterRoleBinding 适用于集群范围内的授权。
RoleBinding:
# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-secrets
namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
name: dave
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
ClusterRoleBinding:
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
