Copyright © 1998-2023 maxiaoke.com All rights reserved.

当前位置:  首页>> 技术小册>> Kubernets合辑8-权限控制

小册名称:Kubernets合辑8-权限控制

● 创建能列出名称空间的集群角色
因为dashboard默认进入的界面是default,名称空间级别用户无法查看和切换到其它名称空间

  1. [root@hdss7-200 ~]# cat /data/k8s-yaml/dashboard/dashboard_1.10.1/list-namespace.yaml 
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRole
  4. metadata: 
  5.   name: list-namespace
  6. rules:
  7. - apiGroups:
  8.   - ""
  9.   resources:
  10.   - namespaces
  11.   verbs:
  12.   - list

RBAC授权

  1. [root@hdss7-200 ~]# cat /data/k8s-yaml/dashboard/dashboard_1.10.1/namespace-admin.yaml 
  2. # 创建service account 账户
  3. apiVersion: v1
  4. kind: ServiceAccount
  5. metadata:
  6.   labels:
  7.     k8s-app: kubernetes-dashboard
  8.     addonmanager.kubernetes.io/mode: Reconcile
  9.   name: ns-admin
  10.   namespace: kube-system
  11. ---
  12. # 授权default名称空间的管理员权限
  13. apiVersion: rbac.authorization.k8s.io/v1
  14. kind: RoleBinding
  15. metadata:
  16.   name: ns-admin-default
  17.   namespace: default
  18.   labels:
  19.     k8s-app: kubernetes-dashboard
  20.     addonmanager.kubernetes.io/mode: Reconcile
  21. roleRef:
  22.   apiGroup: rbac.authorization.k8s.io
  23.   kind: ClusterRole
  24.   name: cluster-admin
  25. subjects:
  26. - kind: ServiceAccount
  27.   name: ns-admin
  28.   namespace: kube-system
  29. ---
  30. # 授予app名称空间的管理员权限
  31. apiVersion: rbac.authorization.k8s.io/v1
  32. kind: RoleBinding
  33. metadata:
  34.   name: ns-admin-app
  35.   namespace: app
  36.   labels:
  37.     k8s-app: kubernetes-dashboard
  38.     addonmanager.kubernetes.io/mode: Reconcile
  39. roleRef:
  40.   apiGroup: rbac.authorization.k8s.io
  41.   kind: ClusterRole
  42.   name: cluster-admin
  43. subjects:
  44. - kind: ServiceAccount
  45.   name: ns-admin
  46.   namespace: kube-system
  47. ---
  48. # 可以查到到其它名称空间,方便切换。不受该权限时,需要手动修改URL中namespace完成切换
  49. apiVersion: rbac.authorization.k8s.io/v1
  50. kind: ClusterRoleBinding
  51. metadata:
  52.   name: ns-admin-list-namespace
  53.   labels:
  54.     k8s-app: kubernetes-dashboard
  55.     addonmanager.kubernetes.io/mode: Reconcile
  56. roleRef:
  57.   apiGroup: rbac.authorization.k8s.io
  58.   kind: ClusterRole
  59.   name: list-namespace
  60. subjects:
  61. - kind: ServiceAccount
  62.   name: ns-admin
  63.   namespace: kube-system

该分类下的相关小册推荐:

Kubernets合辑5-Pod控制器
Kubernets合辑5-Pod控制器
Kubernetes中文教程(二)
Kubernetes中文教程(二)
Kubernetes中文教程(三)
Kubernetes中文教程(三)
云原生-K8S入门实战
云原生-K8S入门实战
Kubernets合辑11-持续集成
Kubernets合辑11-持续集成
Kubernetes合辑1-安装Kubernetes
Kubernetes合辑1-安装Kubernetes
Kubernetes中文教程(一)
Kubernetes中文教程(一)
Kubernets合辑14-日志收集
Kubernets合辑14-日志收集
Kubernets合辑7-存储
Kubernets合辑7-存储
Kubernets合辑9-资源约束
Kubernets合辑9-资源约束
Kubernets合辑3-kubernetes介绍
Kubernets合辑3-kubernetes介绍
Kubernetes中文教程(四)
Kubernetes中文教程(四)