为Kubernetes dashboard访问用户添加权限控制

作者: ygqygq2 分类: 系统/运维,虚拟化/容器 发布时间: 2018-10-17 10:29

# 为Kubernetes dashboard访问用户添加权限控制

[TOC]

1. 需求

在开发环境给开发人员创建应用部署管理权限,可以使用dashboard的token和kubeconfig文件登录,并在开发人员机器上安装kubectl命令,可以使用kubectl port-forward命令。

2. 方案

因为我们用到了dashboard和kubeapps,所以他们的rbac权限都要分配。
创建namespace:dev
创建ServiceAccount:dev-user1
给相应权限,并绑定ServiceAccount。

3. 实现

3.1 分配dashboard权限

kubectl apply -f dev-user1.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user1
  namespace: dev
 
---
# role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: role-dev-user1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/portforward", "pods/proxy"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
  resources: ["replicasets"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "watch", "list"]
 
---
# role bind
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-dev-user1
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-user1
  namespace: dev
roleRef:
  kind: Role
  name: role-dev-user1
  apiGroup: rbac.authorization.k8s.io
 
#---
## clusterrole
#kind: ClusterRole
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  namespace: dev
#  name: clusterrole-dev-user1
#rules:
#- apiGroups: [""]
#  resources: ["namespaces"]
#  verbs: ["get", "watch", "list"]
#
#---
## clusterrole bind
#kind: ClusterRoleBinding
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  name: clusterrole-bind-dev-user1
#  namespace: dev
#subjects:
#- kind: ServiceAccount
#  name: dev-user1
#  namespace: dev
#roleRef:
#  kind: ClusterRole
#  name: clusterrole-dev-user1
#  apiGroup: rbac.authorization.k8s.io
 

3.2 分配kubeapps权限

1
2
3
4
5
kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml
kubectl create -n dev rolebinding dev-user1-view \
  --clusterrole=kubeapps-applications-read \
  --serviceaccount dev:dev-user1
 

1
2
3
4
5
6
7
8
9
export KUBEAPPS_NAMESPACE=kubeapps
kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml
kubectl create -n dev rolebinding dev-user1-edit \
  --clusterrole=edit \
  --serviceaccount dev:dev-user1
kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \
  --role=kubeapps-repositories-read \
  --serviceaccount dev:dev-user1
 

token获取:

1
2
kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
 

3.3 生成kubeconfig

通过token方式访问kube-apiserver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 创建 kubectl config 文件
# 设置集群参数
kubectl config set-cluster kubernetes \
  --insecure-skip-tls-verify=true \
  --server="https://192.168.105.99:8443"
# 设置客户端认证参数
kubectl config set-credentials dev-user1 \
  --token='上文中获取到的token'
# 设置上下文参数
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=dev-user1  \
  --namespace=dev
# 设置默认上下文
kubectl config use-context kubernetes
 

注意
配置kubeconfig时指定路径,以免覆盖已有配置,--kubeconfig=configpath

也可以直接创建文件config,修改内容即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://192.168.105.99:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: dev-user1
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-user1
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v
 

4. 测试验证

windows kubectl命令安装

命令下载:
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe

然后将其放至系统PATH目录下,比如c:\Windows
命令使用时,可使用cmd、powershell或者其它命令提示行工具。推荐使用Git Bash,因为安装过Git,则安装了此工具。

kubeconfig文件
kubeconfig文件,即上文件中生成的config文件。
文件名为config,文件放到 ~/.kube/下(~为用户家目录),因为kubectl命令默认读取此文件,否则每次使用kubectl命令,需要用参数--kubeconfig=configpath指定。

1
2
3
kubectl get pod -n dev
kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev
 

参考资料:
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/
[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md
[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

更多阅读
标签云
argo cache CDN CentOS ceph CI/CD dashboard dns docker fastcgi fastdfs gitlab GlusterFS Hash helm http ingress javascript jenkins keepalived kubeadm kubernetes Linux LVS Mycat MySQL nginx pipeline PostgreSQL prometheus python SaltStack squid ssl TCP tengine windows zabbix 代理 删除 文件系统 监控 算法 缓存 面试题