文档章节

kubernetes-dashboard 安装及介绍

Kanonpy
 Kanonpy
发布于 01/27 17:49
字数 1717
阅读 139
收藏 0

k8s-dashboard 安装及介绍

安装 dashboard UI

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

查看是否安装成功:

kubectl get svc,pod --all-namespaces

NAMESPACE     NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE

...
kube-system   service/kubernetes-dashboard   ClusterIP   10.110.187.255   <none>        443/TCP         86m

NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
...
kube-system   pod/kubernetes-dashboard-57df4db6b-jjqhf   1/1     Running   8          86m

注:如果出现image pull错误,可以用私有仓库 先查看images:

cat kubernetes-dashboard.yaml | grep image
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

然后将"k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" 替换为 "mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1",用docker下载下来然后上传私有仓库,具体可参考(https://mp.weixin.qq.com/s/cV74onbtzTubrrhOl_Qi8w)。

Argument nameDefault valueDescription
insecure-port9090The port to listen to for incoming HTTP requests.
port8443The secure port to listen to for incoming HTTPS requests.
insecure-bind-address127.0.0.1The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces).
bind-address0.0.0.0The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces).
default-cert-dir/certsDirectory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. Relative to the container, not the host.
tls-cert-file-File containing the default x509 Certificate for HTTPS.
tls-key-file-File containing the default x509 private key matching --tls-cert-file.
apiserver-host-The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
api-log-levelDEFAULTSet or disable API request logging.<br />DEFAULT sanitizes potentially sensitive URLS<br />DEBUG outputs all request output (even if sensitive)<br />NONE disables all request logging
heapster-host-The address of the Heapster to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
kubeconfig-Path to kubeconfig file with authorization and master location information.
token-ttl15 minutesExpiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires.
authentication-modetokenEnables authentication options that will be reflected on login screen. Supported values: token, basic. Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set.
metric-client-check-period30 secondsTime in seconds that defines how often configured metric client health check should be run.
auto-generate-certificatesfalseWhen set to true, Dashboard will automatically generate certificates used to serve HTTPS.
enable-insecure-loginfalseWhen enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Still, it requires frontend to be accessed over HTTPS (i.e. secure nginx proxy).
system-banner-When non-empty displays message to Dashboard users. Accepts simple HTML tags.
system-banner-severityINFOSeverity of system banner. Should be one of 'INFO,WARNING,ERROR'.
disable-settings-authorizerfalseWhen enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
enable-skip-loginfalseWhen enabled, the skip button on the login page will be shown.

通过kube-proxy访问

kubectl proxy – 为Kubernetes API server启动代理服务器:

Options:
      --accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$': Regular expression for hosts that the proxy should accept.
      --accept-paths='^.*': Regular expression for paths that the proxy should accept.
      --address='127.0.0.1': The IP address on which to serve on.
      --api-prefix='/': Prefix to serve the proxied API under.
      --disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
      --keepalive=0s: keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable
keepalive.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods='^$': Regular expression for HTTP methods that the proxy should reject (example
--reject-methods='POST,PUT,PATCH'). 
      --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject. Paths specified here will be rejected even accepted by --accept-paths.
  -u, --unix-socket='': Unix socket on which to run the proxy.
  -w, --www='': Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.

Usage:
  kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

因为为了在不同服务器上可以访问到,因此要设置--accept-hosts--address两个参数。

kubectl proxy --address='0.0.0.0' --port=8001 --accept-hosts='^localhost$,^192\.168\.1\.122$'

构建登陆访问权限

打开地址http://192.168.1.122:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/:

可以在浏览器访问,官方提供了两种认证方式,一种是kubeconfig,一种是令牌token。

token令牌登陆

k8s各服务有自己的token:

kubectl get secret -n kube-system

NAME                                             TYPE                                  DATA   AGE
attachdetach-controller-token-8kh8n              kubernetes.io/service-account-token   3      21h
bootstrap-signer-token-htm5l                     kubernetes.io/service-account-token   3      21h
bootstrap-token-ngcxcv                           bootstrap.kubernetes.io/token         7      21h
calico-node-token-4wkts                          kubernetes.io/service-account-token   3      20h
certificate-controller-token-dzvlt               kubernetes.io/service-account-token   3      21h
clusterrole-aggregation-controller-token-qpvfv   kubernetes.io/service-account-token   3      21h
coredns-token-hdk66                              kubernetes.io/service-account-token   3      21h
cronjob-controller-token-tmvgn                   kubernetes.io/service-account-token   3      21h
daemon-set-controller-token-wxfbl                kubernetes.io/service-account-token   3      21h
default-token-67lzs                              kubernetes.io/service-account-token   3      21h
deployment-controller-token-ps2sn                kubernetes.io/service-account-token   3      21h
disruption-controller-token-qhncp                kubernetes.io/service-account-token   3      21h
endpoint-controller-token-mq29n                  kubernetes.io/service-account-token   3      21h
expand-controller-token-qv82t                    kubernetes.io/service-account-token   3      21h
generic-garbage-collector-token-4bklk            kubernetes.io/service-account-token   3      21h
horizontal-pod-autoscaler-token-4nn7k            kubernetes.io/service-account-token   3      21h
job-controller-token-hmjcx                       kubernetes.io/service-account-token   3      21h
kube-proxy-token-phvpr                           kubernetes.io/service-account-token   3      21h
kubernetes-dashboard-certs                       Opaque                                0      143m
kubernetes-dashboard-csrf                        Opaque                                1      143m
kubernetes-dashboard-key-holder                  Opaque                                2      76m
kubernetes-dashboard-token-tpvvp                 kubernetes.io/service-account-token   3      143m
namespace-controller-token-9jm46                 kubernetes.io/service-account-token   3      21h
node-controller-token-lvw87                      kubernetes.io/service-account-token   3      21h
persistent-volume-binder-token-sn2zf             kubernetes.io/service-account-token   3      21h
pod-garbage-collector-token-gmwb6                kubernetes.io/service-account-token   3      21h
pv-protection-controller-token-r566m             kubernetes.io/service-account-token   3      21h
pvc-protection-controller-token-sh8x9            kubernetes.io/service-account-token   3      21h
replicaset-controller-token-bd724                kubernetes.io/service-account-token   3      21h
replication-controller-token-h7bt6               kubernetes.io/service-account-token   3      21h
resourcequota-controller-token-qrj5l             kubernetes.io/service-account-token   3      21h
service-account-controller-token-5brbw           kubernetes.io/service-account-token   3      21h
service-controller-token-ln82n                   kubernetes.io/service-account-token   3      21h
statefulset-controller-token-b9jlj               kubernetes.io/service-account-token   3      21h
token-cleaner-token-9lzqb                        kubernetes.io/service-account-token   3      21h
ttl-controller-token-58rdc                       kubernetes.io/service-account-token   3      21h

我们通过kubectl describe secret可以看到具体服务的token:

kubectl describe secret deployment-controller-token-ps2sn -n kube-system
Name:         deployment-controller-token-ps2sn
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: deployment-controller
              kubernetes.io/service-account.uid: e3dff2a1-2095-11e9-b54b-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tcHMyc24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTNkZmYyYTEtMjA5NS0xMWU5LWI1NGItNTI1NDAwMzAwOGFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.d_GQotLp38_5GOMCHy2sn9zvgTThnSo4cUN5PkRbKyLtT16zl1MtFadOogLc7iVllNgDGAzHHAbo73m35gi1j0H_o0A742wZq4gLS-06r4UPfhpU9IoGhYZusYOY-RvBkjm7PZbKhudxwStdP44HhwaqdoX2wMwZgT8mrVd74VEs988zPEaM-QAKYLhYgOEAlEFvXnFfzm2dRD9LtK7m1JrlmevmtONfucEPpJiVuAhYBYq31KZ6YOya0Py8tInd8S-9_pmBmNVCYE2MzyFLWJ5uJhmdefqNWwTgKaKHWOsczqDecnRaSuF97Qje7udwVeVjNTeCwUzOZAfPlHLe-Q

但每个服务的token都权限都不同,不一定符合我们的需求,因此我们需要建立自己的ClusterRole,并赋予权限。

创建user-shikanon.yaml文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-shikanon
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: user-shikanon
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: user-shikanon
  namespace: kube-system

启动服务:

[root@master ~]# kubectl create -f user-shikanon.yaml

serviceaccount/user-shikanon created
clusterrolebinding.rbac.authorization.k8s.io/user-shikanon created

查看user-shikanon服务的token:

[root@master ~]# kubectl describe secret user-shikanon --namespace=kube-system
Name:         user-shikanon-token-6t5rd
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: user-shikanon
              kubernetes.io/service-account.uid: f290b948-2149-11e9-a469-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ1c2VyLXNoaWthbm9uLXRva2VuLTZ0NXJkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXItc2hpa2Fub24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMjkwYjk0OC0yMTQ5LTExZTktYTQ2OS01MjU0MDAzMDA4YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06dXNlci1zaGlrYW5vbiJ9.Ap6MY85X38mVGXqEe7T8UW-RHNXWWJZ06eKKXMKutRJUKDNcfKKV0Y1o_CsWLfSNjqNjRCoTYs4x73vHwo6LkrXrzKoyh7VZytcMxpwV7FiLAMU0OFia179WROAIEpvZ1AsK94X2NM3zBS4I3pVNK_OLM4wuOBLcX9bkFscBRufs3SvgtA64t8_vq4udgoQdERdnK3EiPBgpZEjnGQIK_o-kgGKviXhS892r2QD9y_YlrFyY6Gu4xPRew_k2jPpFpZNyjYp3pKWw6DnGKBN39M7T5igLnSXJEQGp1mXgYrgWBL-IQeWtRTVcpBIeRFa5AoPMfPcv5x4AsWHK_rF1_A

kubeconfig登陆

在.kube/config找到kubeconfig文件,或者重新创建一个kubeconfig文件,在config文件末尾加上一个token字段即可:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ERXlOVEV4TXpneU1Wb1hEVEk1TURFeU1qRXhNemd5TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTERlCnVEYkNXSTVnMUhjaithdFVDdmlEK3dlM054VnVkV28rVWMvbWJFV3lyemM3WFp1RGdJZHNqNXRpV3hmMWNDVGYKeW9qU21OcC9ldmtUa2YxSGIzSmJOYjhFNG5oSE1TdzMwQkpNd1JxbTZaMVdQRnArNkRUdlZzT25CVnlDY1FRNwo0MEJWTnpyOTdXMTlkRi9JYXp4ODBqblRVT3NJNFczMXE3QkEvZ2E0anZVRnZQbnY3TVU5dm1XeCt4NWRJVmoyCjRDY1NzV0hBNVpiNm1RU050WlNtTWIxYnFZa0NHVGdPbWkrWDhDQzVaZmRtU1BmWmRUdlhOMlJVdzdmVXRZdlMKYTJuL3JwZFFzZ0s0NEthQXRHSmhta1dFci9hbkpVa1FlTEpMdjRpYVZXVnpHWEV0SkRqZkY1T0x6YVlvd2JpbApwT3hjMUIyTzk2TWV4NzljOHVVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHcC92MURIUlV1ODBiSjVKQy81eHRJVEVCelYKeVZZd1d2NUpsNDRkMFhVdlJqV2FOUXF5TUYwRVJYYXBjMWdSVjV1WitROWxUN3JPcVgvWlozNHFoSS9tdmhNRgpyRUh6NW9yK09waS9HNFYwK20xYysxOE9ya3h2ZHJjcFVYa1ArVW5kM09lV0VrUjNHREhxcU5YVHlEcWZybWR2Cmh2NTNwQ0F2NkFOKzRJUWJxd3RsWU5GZWhHN09IdEl4ZDdGSFJHcGZKTTFlUXJ3M09sYzhreDVkSkltS0tPYXgKZm9uVzBkOXdOTmVhVlVDMmh4cFFWVFlJbjBXamUxcGtVTEdUaTVqcjZZL2tBZ0hhU1BKNTR5TFhzbzhMTHBvVApGMEN0TnRWOG8zczQ2Z0ZvMW1uQUQxYXh1WjlnTTNUZTcrSkNnRVlhTlgxak1SMVFwWFpraysydGYzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.1.120:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVHB1b3ZjbElYdVV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBeE1qVXhNVE00TWpGYUZ3MHlNREF4TWpVeE1UTTRNakphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBPMlZMVDhENlIwVFMyRFoKb0tOZGlBcVJ3amVkWlo4Y29FdVBneTZpNlVReU9qQUt4OVZaeVJ6bWIyTWU1aFpHSXdLVGcyNW92YWw3ZWY4RApwc2FqYUhOa2NZSVd6S0Y0Yks0ZGtndlRudE5yUGxpazA5WFQxWTAwZUF0ZmpySjMrZWwzcEd1eGFPWENzZVQ3CjVLR0pINkdWWllpeGhMekF4bnpGd3lpdlFFcDVjVFl1RVhvZUZnOXBTekRhRFV5M2orUnBqRWhEdjdraVZpWGQKTE5yVGg0ZFB2ZWZhd21KTE8yYk9qUkI5MDB4dkpLMkF2NmtiV0M0U2wzQnF1SjhyVERoM21IeDQzOXVSNnpDZgpsNkYrbC9qRVBBRFJQQzVrTEJhUzVMT3JmcFlBM244MWNKYVRVeWROeGtIbDkzVTZiSnNQNXhPblBrOFpxUC9iClNhaWVrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJRVl0MjBQVDJnWm1UMmx3amYyYjIvdGc0OUJMNFJObTl4dgp1RkVmK3F1SklqcHJpMFV0TVJUZE5lV2ZiZTJvZWMrbm1SNk5CSGhUMnlhYVMrQjJ5SUZvOVVWckZENXdYVUsrCnVVN0NCRk55cHZRTzlHVXJYaGFYa1lKUkJNQ21XM2d6T1RqdXVFaGNMd0lHZGRWdlI4Wkh5M245Y084czAzU2sKUmtuMlZmL0hjQnRvbnRUWENGTXpidFA0UnZnYXlMN2c5NGpsN25OQ1hBVEU1K1h5OHZKcm5NSXhUbVQwTnVFNgpBVG43RG1Hb2V0Q2kySnJqZFpqcUR5N3FqbjhOZGQ1Qmh4OWkvWThyTXVWTC9GTWIrRVk4SzM3U2IxTmM1U21rCkNtUjNGakZZYjJUVDRZeHdtMWFPM0Rvd0lOWDVDdkd4aTNHS0F4QjJydGZQSUpLOEhydz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBME8yVkxUOEQ2UjBUUzJEWm9LTmRpQXFSd2plZFpaOGNvRXVQZ3k2aTZVUXlPakFLCng5Vlp5UnptYjJNZTVoWkdJd0tUZzI1b3ZhbDdlZjhEcHNhamFITmtjWUlXektGNGJLNGRrZ3ZUbnROclBsaWsKMDlYVDFZMDBlQXRmanJKMytlbDNwR3V4YU9YQ3NlVDc1S0dKSDZHVlpZaXhoTHpBeG56Rnd5aXZRRXA1Y1RZdQpFWG9lRmc5cFN6RGFEVXkzaitScGpFaER2N2tpVmlYZExOclRoNGRQdmVmYXdtSkxPMmJPalJCOTAweHZKSzJBCnY2a2JXQzRTbDNCcXVKOHJURGgzbUh4NDM5dVI2ekNmbDZGK2wvakVQQURSUEM1a0xCYVM1TE9yZnBZQTNuODEKY0phVFV5ZE54a0hsOTNVNmJKc1A1eE9uUGs4WnFQL2JTYWlla3dJREFRQUJBb0lCQURDdE9kVloyaXBreU1zRwpISTR0b2F3QmNtWkNtTnhGVHVFVjJiRGhtN2tuVjJCeE13SE45bVpCNG5wUEtMTEl1N3lLYkIzeUNsc3Q4b1BBCjQzUG0wY21USVBMRk1WU3B4aW5rQXlXMHRiQktaN0VWN0FraXg0RDRyaUhOM0l5ZGpoQmUwYTR3SFJ4b2M0MEkKNFpzcCs0MndFdU9lRG1YenFDSldqYWpqZ0xsRWRQUWtiM1RmQkx0amNOakdEclVKS1VLcmJLa3gzb2NlUmVNNgpRcG1oVUJSYk1LSGZzVWdLUEFkaDdtTTJYUDlGTG1rNmMyWlBWZWE2dld2eFpMd2kxSzJXZUpJblVicXYyYy9wCkFaQ0VUdmNKTEttSTFmMFRxeGY1WXlVK29FZXlJQUJta2RvMkhWMHcwUEF4OGw5V1U1T2dacVVQS1lPVHVlL2YKMWsva2ttRUNnWUVBNlJYYVE4Y1hjUTJIeDR1dE5abUJJbXlObDM5eVNGeG94bEJaNWgvY3VWdk1ncS9nbjFXRApWaVIwajJ0Uk41QzdPZzU0Mnh1dXNwR1RqWWxyRDhDM1YwN0ZpM0E3NTkxMUpOMzRsVnpPdHhLem94dk12RmFsCmV0bVNmUnBETUdIL08xN3NsTnowdi9DVDNUNENKbzA2Q3hpZHNKVW01UGc4NG5MSmI3eGl6M0VDZ1lFQTVYZkIKRGU0UVhJeTZEMXhQdWcvbjJGYklVaDErRElvdVNuWFRIRGtKejB5blViQ0UwdGZ1RC9qUmhmTHcwSUIyMjBmOAplRzA1a0RFS1I0TVoyVXFSdUpaZWUybUdLZis5eVFSaTRzbVNPT0x3ZDFkbjBBNlJKQUppR1ROUWhDQmF3UmpKCm9kckZVNUtmejR1QTZGcE8vS2w2M0h5N1RtelFOMUd0MTFoUGxFTUNnWUI4dmdjNzh0Y20xL2pzNEdIb3A2aW0KeGJYWmVJbXZGRlcybk5ZZ0JMbGFNamozVUMxRTJMMGJZeE5HbGthM0dDdzdXL2R1UEJoNDFOUkZFV0JNNC9TNwpNeHNpRHdUZ2lITGpNakNScjBPcVVzWDA2ekhkTWZvS0Qxc0l2UDlzYTJYdlhsUDdMMjJGTTduTzFCck9peEtmClVhTkRGKy9pNXIrZTZaUEl5dWVPNFFLQmdFVEFvTU0vdFA5RjJ1bUhTd3dBZ0FLOTNiOWN2c3ViQzB1Y0NlakcKM2oyU1JmK2YxK3drYmx1eXZYUlkyZlpleHoza1Q2ejFiTzNiQTYxeGhta29nb2kvNVFjdEV0bTZtbTZFTmV5bApZSDVTNEtHaE9xV0g5OHpHT2dZNjdjRG93TWhpV09kNTJPMjFYTlNlZzcwYWNkZ2FING00aFpaMTI5ejNTQkxoCmp0WnBBb0dBWEtRQjJBRk52cnRnWEg2MHFCRWJPaG9kZ2ZXRVA2QmtrNUpZSzY1U2o1ZFRaTmZlOG9JU3FKbFAKR0dlQnZMV1dVVUhScmMyUFpEcFpZTDJ4NGRvYndoWDJkYWJOWEFsQTFZczZJZmM2OG9oaWxpdm1PbktGRXBBMAo5RDJ6VXBqa0NzS3EybDFVSW9WczJSbTZ1dDJKcXB1WWs4SHJ3Z1BpYWtsclJtZ3FYbUU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    token: eyJhbGciOiJSUzI1NiIsIm

RBAC权限控制

Role 和 ClusterRole类型的权限控制

Role 只能用于授予对单个命名空间中的资源访问权限,在 RBAC API 中,Role 表示一组规则权限,权限只会增加(累加权限),不存在一个资源一开始就有很多权限而通过 RBAC 对其进行减少的操作。Role 可以定义在一个 namespace 中,如果想要跨 namespace 则可以创建 ClusterRole, ClusterRole 是集群级别的。

Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding 和 ClusterRoleBinding 类型的权限控制

RoloBinding 可以将角色中定义的权限授予用户或用户组,RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users, groups, or service accounts);RoloBinding 同样包含对被 Bind 的 Role 引用;RoleBinding 适用于某个命名空间内授权,而 ClusterRoleBinding 适用于集群范围内的授权。

RoleBinding:

# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding:

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

© 著作权归作者所有

Kanonpy
粉丝 16
博文 42
码字总数 45373
作品 0
广州
程序员
私信 提问
Docker for Mac 添加 Kubernetes dashboard

前言: 2018刚开始,Docker团队就献出了一份大礼:Docker for Mac 内置支持Kubernetes了,而且通过Edge版本的reset按钮,可以快速恢复原始安装状态,对于Docker和Kubernetes的开发简直是太方...

openthings
2018/01/13
2.8K
0
Kubernetes Dashboard on Ubuntu 16.04安装记录

Kubernetes Dashboard on Ubuntu 16.04安装记录 以下内容在Kubernetes 1.9.3 + Ubuntu 16.04.4(Server & Desktop)上试验通过。 Kubernetes Dashboard(https://github.com/kubernetes/das......

openthings
2018/03/07
1K
0
Kubernetes Dashboard 与DNS部署

前面的博文中介绍了k8s集群的部署,这里主要介绍部署kube-dns和Dashboard。 环境说明 Node-1(Master): 10.0.0.1 Node-2: 10.0.0.2 Node-3: 10.0.0.3 集群使用二进制安装,并已部署flannel网络...

酥心糖
2018/06/13
0
0
Kubernetes dashboard 通过 Ingress 提供HTTPS访问

Kubernetes dashboard提供外部访问的方式有多种(端口映射、代理、NodePort、LoadBalancer、Ingress)。尽管Dashboard的流量很小,没有必要通过 Ingress 来提供访问,但Dashboard服务是一个很...

openthings
2018/08/18
5.2K
1
imlzw/Kubernetes-1.12.3-all-auto-install

Kubernetes-1.12.3-all-auto-install 项目介绍 个人整理的Centos7.x + Kubernetes-1.12.3 + Dashboard-1.8.3 无 CVE-2018-1002105 漏洞的master节点全自动快速一键安装部署文件,适用于测试环...

imlzw
2018/12/11
0
0

没有更多内容

加载失败,请刷新页面

加载更多

计算机实现原理专题--二进制减法器(二)

在计算机实现原理专题--二进制减法器(一)中说明了基本原理,现准备说明如何来实现。 首先第一步255-b运算相当于对b进行按位取反,因此可将8个非门组成如下图的形式: 由于每次做减法时,我...

FAT_mt
今天
5
0
好程序员大数据学习路线分享函数+map映射+元祖

好程序员大数据学习路线分享函数+map映射+元祖,大数据各个平台上的语言实现 hadoop 由java实现,2003年至今,三大块:数据处理,数据存储,数据计算 存储: hbase --> 数据成表 处理: hive --> 数...

好程序员官方
今天
7
0
tabel 中含有复选框的列 数据理解

1、el-ui中实现某一列为复选框 实现多选非常简单: 手动添加一个el-table-column,设type属性为selction即可; 2、@selection-change事件:选项发生勾选状态变化时触发该事件 <el-table @sel...

everthing
今天
6
0
【技术分享】TestFlight测试的流程文档

上架基本需求资料 1、苹果开发者账号(如还没账号先申请-苹果开发者账号申请教程) 2、开发好的APP 通过本篇教程,可以学习到ios证书申请和打包ipa上传到appstoreconnect.apple.com进行TestF...

qtb999
今天
10
0
再见 Spring Boot 1.X,Spring Boot 2.X 走向舞台中心

2019年8月6日,Spring 官方在其博客宣布,Spring Boot 1.x 停止维护,Spring Boot 1.x 生命周期正式结束。 其实早在2018年7月30号,Spring 官方就已经在博客进行过预告,Spring Boot 1.X 将维...

Java技术剑
今天
18
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部