权限管理
权限管理基于RABC分为服务账号权限管理和用户权限管理,角色分为普通角色和集群角色,详细权限管理见文档
命名空间
创建命名空间
kubectl create namespace hawkeye -n kube-system服务账号权限管理
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: luban-team
name: luban-team
namespace: luban-beta
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: team-role
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create","list"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","list"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
# resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy","get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods","endpoints","services","daemonsets","events","replicasets","statefulsets","replicationcontrollers","persistentvolumeclaims","pods/log","pods/exec","replicasets/scale","statefulsets/scale","replicationcontrollers/scale","daemonsets/scale","pods/scale","limitranges",""]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs","cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments","ingresses","daemonsets","replicasets","statefulsets","deployments/scale"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources: ["cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["namespaces","nodes"]
verbs: ["get", "list", "watch","patch"]
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers","prometheuses","servicemonitors"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: team-role-bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: team-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:k8s-admin
namespace: k8s-admin
~
---
获取token
kubectl -n spark-cluster describe secret $(kubectl -n spark-cluster get secret | grep spark | awk '{print $1}')user权限
生成CA证书
> openssl genrsa -out yuanben_devops.key 2048
> openssl req -new -key yuanben_devops.key -out yuanben_devops.csr -subj "/CN=yuanben/O=yuanben_devops"
> openssl x509 -req -in yuanben_devops.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out yuanben_devops.crt -days 30
> 集群配置
export KUBE_APISERVER="https://192.168.1.66:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/root/yuanben_devops.conf设置客户端认证参数
kubectl config set-credentials yuanben_devops --client-certificate=yuanben_devops.crt --client-key=yuanben_devops.key --kubeconfig=/root/yuanben_devops.conf设置上下文参数
kubectl config set-context yuanben_devops \
--cluster=kubernetes \
--user=yuanben_devops \
--namespace=kube-system \
--kubeconfig=/root/yuanben_devops.confuser-context
kubectl config use-context yuanben_devops --kubeconfig=/root/yuanben_devops.conf
用户角色绑定
kubectl create rolebinding spark-user-binding --role=spark-role --user=spark --namespace=spark最后编辑: 马运宝 文档更新时间: 2021-01-08 14:32 作者:马运宝
