为Kubernetes dashboard访问用户添加权限控制

作者: ygqygq2 分类: 系统/运维,虚拟化/容器发布时间: 2018-10-17 10:29

# 为Kubernetes dashboard访问用户添加权限控制

1. 需求
2. 方案
3. 实现
4. 测试验证

1. 需求

在开发环境给开发人员创建应用部署管理权限，可以使用dashboard的token和kubeconfig文件登录，并在开发人员机器上安装kubectl命令，可以使用kubectl port-forward命令。

2. 方案

因为我们用到了dashboard和kubeapps，所以他们的rbac权限都要分配。
创建namespace：dev
创建ServiceAccount：dev-user1
给相应权限，并绑定ServiceAccount。

3. 实现

3.1 分配dashboard权限

kubectl apply -f dev-user1.yaml

---
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user1
  namespace: dev

---
# role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: role-dev-user1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/portforward", "pods/proxy"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
  resources: ["replicasets"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "watch", "list"]

---
# role bind
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-dev-user1
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-user1
  namespace: dev
roleRef:
  kind: Role
  name: role-dev-user1
  apiGroup: rbac.authorization.k8s.io

#---
## clusterrole
#kind: ClusterRole
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  namespace: dev
#  name: clusterrole-dev-user1
#rules:
#- apiGroups: [""]
#  resources: ["namespaces"]
#  verbs: ["get", "watch", "list"]
#
#---
## clusterrole bind
#kind: ClusterRoleBinding
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  name: clusterrole-bind-dev-user1
#  namespace: dev
#subjects:
#- kind: ServiceAccount
#  name: dev-user1
#  namespace: dev
#roleRef:
#  kind: ClusterRole
#  name: clusterrole-dev-user1
#  apiGroup: rbac.authorization.k8s.io

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

---

# ServiceAccount

apiVersion: v1

kind: ServiceAccount

metadata:

namespace: dev

---

# role

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

namespace: dev

rules:

- apiGroups: [""]

resources: ["pods"]

verbs: ["get", "list", "watch", "delete", "update", "patch"]

- apiGroups: [""]

resources: ["pods/portforward", "pods/proxy"]

verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

- apiGroups: [""]

resources: ["pods/log"]

verbs: ["get", "list", "watch", "delete"]

- apiGroups: ["extensions", "apps"]

resources: ["deployments"]

verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

- apiGroups: [""]

resources: ["namespaces"]

verbs: ["get", "watch", "list"]

- apiGroups: [""]

resources: ["events"]

verbs: ["get", "watch", "list"]

- apiGroups: ["apps", "extensions"]

resources: ["replicasets"]

verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]

- apiGroups: [""]

resources: ["configmaps"]

verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]

- apiGroups: [""]

resources: ["persistentvolumeclaims"]

verbs: ["get", "watch", "list"]

- apiGroups: [""]

resources: ["secrets"]

verbs: ["get", "watch", "list"]

- apiGroups: [""]

resources: ["services"]

verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]

- apiGroups: ["extensions"]

resources: ["ingresses"]

verbs: ["get", "watch", "list"]

- apiGroups: ["apps"]

resources: ["daemonsets"]

verbs: ["get", "watch", "list"]

- apiGroups: ["batch"]

resources: ["jobs"]

verbs: ["get", "watch", "list"]

- apiGroups: ["batch"]

resources: ["cronjobs"]

verbs: ["get", "watch", "list"]

- apiGroups: [""]

resources: ["replicationcontrollers"]

verbs: ["get", "watch", "list"]

- apiGroups: ["apps"]

resources: ["statefulsets"]

verbs: ["get", "watch", "list"]

- apiGroups: [""]

resources: ["endpoints"]

verbs: ["get", "watch", "list"]

---

# role bind

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

namespace: dev

subjects:

- kind: ServiceAccount

namespace: dev

roleRef:

kind: Role

apiGroup: rbac.authorization.k8s.io

#---

## clusterrole

#kind: ClusterRole

#apiVersion: rbac.authorization.k8s.io/v1

#metadata:

# namespace: dev

# name: clusterrole-dev-user1

#rules:

#- apiGroups: [""]

# resources: ["namespaces"]

# verbs: ["get", "watch", "list"]

#---

## clusterrole bind

#kind: ClusterRoleBinding

#apiVersion: rbac.authorization.k8s.io/v1

#metadata:

# name: clusterrole-bind-dev-user1

# namespace: dev

#subjects:

#- kind: ServiceAccount

# name: dev-user1

# namespace: dev

#roleRef:

# kind: ClusterRole

# name: clusterrole-dev-user1

# apiGroup: rbac.authorization.k8s.io

3.2 分配kubeapps权限

kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml
kubectl create -n dev rolebinding dev-user1-view \
  --clusterrole=kubeapps-applications-read \
  --serviceaccount dev:dev-user1

kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml

kubectl create -n dev rolebinding dev-user1-view \

--clusterrole=kubeapps-applications-read \

--serviceaccount dev:dev-user1

export KUBEAPPS_NAMESPACE=kubeapps
kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml
kubectl create -n dev rolebinding dev-user1-edit \
  --clusterrole=edit \
  --serviceaccount dev:dev-user1
kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \
  --role=kubeapps-repositories-read \
  --serviceaccount dev:dev-user1

export KUBEAPPS_NAMESPACE=kubeapps

kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml

kubectl create -n dev rolebinding dev-user1-edit \

--clusterrole=edit \

--serviceaccount dev:dev-user1

kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \

--role=kubeapps-repositories-read \

--serviceaccount dev:dev-user1

token获取：

kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode

1 2	kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' \| base64 --decode

3.3 生成kubeconfig

通过token方式访问kube-apiserver

# 创建 kubectl config 文件
# 设置集群参数
kubectl config set-cluster kubernetes \
  --insecure-skip-tls-verify=true \
  --server="https://192.168.105.99:8443"
# 设置客户端认证参数
kubectl config set-credentials dev-user1 \
  --token='上文中获取到的token' 
# 设置上下文参数
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=dev-user1  \
  --namespace=dev 
# 设置默认上下文
kubectl config use-context kubernetes

# 创建 kubectl config 文件

# 设置集群参数

kubectl config set-cluster kubernetes \

--insecure-skip-tls-verify=true \

--server="https://192.168.105.99:8443"

# 设置客户端认证参数

kubectl config set-credentials dev-user1 \

--token='上文中获取到的token'

# 设置上下文参数

kubectl config set-context kubernetes \

--cluster=kubernetes \

--user=dev-user1 \

--namespace=dev

# 设置默认上下文

kubectl config use-context kubernetes

注意
配置kubeconfig时指定路径，以免覆盖已有配置，--kubeconfig=configpath

也可以直接创建文件config，修改内容即可。

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://192.168.105.99:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: dev-user1
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-user1
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v

apiVersion: v1

clusters:

- cluster:

insecure-skip-tls-verify: true

server: https://192.168.105.99:8443

contexts:

- context:

cluster: kubernetes

namespace: dev

user: dev-user1

current-context: kubernetes

kind: Config

preferences: {}

users:

- name: dev-user1

user:

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v

4. 测试验证

windows kubectl命令安装

命令下载：
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe

然后将其放至系统PATH目录下，比如c:\Windows
命令使用时，可使用cmd、powershell或者其它命令提示行工具。推荐使用Git Bash，因为安装过Git，则安装了此工具。

kubeconfig文件
kubeconfig文件，即上文件中生成的config文件。
文件名为config，文件放到 ~/.kube/下（~为用户家目录），因为kubectl命令默认读取此文件，否则每次使用kubectl命令，需要用参数--kubeconfig=configpath指定。

kubectl get pod -n dev
kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev

kubectl get pod -n dev

kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev

参考资料：
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/
[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md
[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl

如果觉得我的文章对您有用，请随意打赏。您的支持将鼓励我继续创作！

发表评论取消回复

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据。

为Kubernetes dashboard访问用户添加权限控制

1. 需求

2. 方案

3. 实现

3.1 分配dashboard权限

3.2 分配kubeapps权限

3.3 生成kubeconfig

4. 测试验证

发表评论 取消回复

发表评论取消回复