标签：用户名 name ratel rbac Dashboard io k8s authorization

基本说明

　　在生产环境使用k8s以后，大部分应用都实现了高可用，不仅降低了维护成本，也简化了很多应用的部署成本，但是同时也带来了诸多问题。比如开发可能需要查看自己的应用状态、连接信息、日志、执行命令等。

　　使用k8s后，业务应用以Pod为单位，不像之前的以服务器为单位，可以直接通过登录服务器进行相关操作。当业务应用使用k8s部署后，k8s官方的dashboard虽然可以进行查看日志、执行命令等基本操作，但是作为运维人员，不想让开发操作或查看自己范围之外的Pod，此时就要使用RBAC进行相关的权限配置。

k8s版本

[root@master02 ~]# kubectl get nodes
NAME       STATUS   ROLES   AGE   VERSION
master01   Ready   master   14d   v1.19.16
master02   Ready   master   14d   v1.19.16
master03   Ready   master   14d   v1.19.16
node01     Ready   <none>   13d   v1.19.16
node02     Ready   <none>   13d   v1.19.16

更改Dashboard认证方式

ClusterRole: Namepasce只读、容器日志查看权限、容器命令执行权限、容器删除权限，这四个最为常用的权限

master节点操作

1.修改master节点 kube-apiserver
[root@master02 ~]# vi /etc/kubernetes/cfg/kube-apiserver.conf  
--token-auth-file=/etc/kubernetes/basic_auth_file \  #在启动参数配置文件加上这个，加在末尾，要不然可能会出bug
#--basic-auth-file 大概于1.7版本停用，更新为--token-auth-file
​
​
2.修改kubernetes-dashboard命名空间下的Deployment，   kubernetes-dashboard
[root@master02 ~]# kubectl edit deployment -n kubernetes-dashboard kubernetes-dashboard
  spec:
    affinity: {}
    containers:
     - args:
       - --auto-generate-certificates
       - --namespace=kubernetes-dashboard
       - --authentication-mode=basic# 加上这个
   
3.创建用户名密码配置文件。
[root@master02 ~]# cat /etc/kubernetes/basic_auth_file
test1,test1,3,"system:authentication"
test2,test2,4,"system:authentication"
test3,test3,5,"system:authentication"
test4,test4,6,"system:authentication"

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
  rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
  kubernetes.io/bootstrapping: rbac-defaults
  rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: ratel-namespace-readonly
rules:
- apiGroups:
 - ""
resources:
 - namespaces
verbs:
 - get
 - list
 - watch
- apiGroups:
 - metrics.k8s.io
resources:
 - pods
verbs:
 - get
 - list
 - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ratel-namespace-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authentication
 #保存下来然后kubectl apply -f

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-resource-readonly
rules:
- apiGroups:
 - ""
resources:
 - configmaps
 - endpoints
 - persistentvolumeclaims
 - pods
 - replicationcontrollers
 - replicationcontrollers/scale
 - serviceaccounts
 - services
verbs:
 - get
 - list
 - watch
- apiGroups:
 - ""
resources:
 - bindings
 - events
 - limitranges
 - namespaces/status
 - pods/log
 - pods/status
 - replicationcontrollers/status
 - resourcequotas
 - resourcequotas/status
verbs:
 - get
 - list
 - watch
- apiGroups:
 - ""
resources:
 - namespaces
verbs:
 - get
 - list
 - watch
- apiGroups:
 - apps
resources:
 - controllerrevisions
 - daemonsets
 - deployments
 - deployments/scale
 - replicasets
 - replicasets/scale
 - statefulsets
 - statefulsets/scale
verbs:
 - get
 - list
 - watch
- apiGroups:
 - autoscaling
resources:
 - horizontalpodautoscalers
verbs:
 - get
 - list
 - watch
- apiGroups:
 - batch
resources:
 - cronjobs
 - jobs
verbs:
 - get
 - list
 - watch
- apiGroups:
 - extensions
resources:
 - daemonsets
 - deployments
 - deployments/scale
 - ingresses
 - networkpolicies
 - replicasets
 - replicasets/scale
 - replicationcontrollers/scale
verbs:
 - get
 - list
 - watch
- apiGroups:
 - policy
resources:
 - poddisruptionbudgets
verbs:
 - get
 - list
 - watch
- apiGroups:
 - networking.k8s.io
resources:
 - networkpolicies
verbs:
 - get
 - list
 - watch
- apiGroups:
 - metrics.k8s.io
resources:
 - pods
verbs:
 - get
 - list
 - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-exec
rules:
- apiGroups:
 - ""
resources:
 - pods
 - pods/log
verbs:
 - get
 - list
- apiGroups:
 - ""
resources:
 - pods/exec
verbs:
 - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-delete
rules:
- apiGroups:
 - ""
resources:
 - pods
verbs:
 - get
 - list
 - delete
 #保存下来 然后kubectl create -f

apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:39Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:39Z"
  name: ratel-pod-delete-test1
  namespace: default
  resourceVersion: "1061269"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-test1
  uid: 6c8817db-116c-4355-9b5f-4ed8cab4a0a4
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-delete
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:39Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:39Z"
  name: ratel-pod-exec-test1
  namespace: default
  resourceVersion: "1061268"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-test1
  uid: 5d831581-cc54-4ca2-b097-702f501593f5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-12-16T16:10:38Z"
  labels:
    ratel: "true"
    username: test1
  managedFields:
   - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:ratel: {}
          f:username: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: ratel
    operation: Update
    time: "2021-12-16T16:10:38Z"
  name: ratel-resource-readonly-test1
  namespace: default
  resourceVersion: "1061267"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-test1
  uid: 9bcb54cf-1023-4a15-9c20-22d69a312f70
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-resource-readonly
subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test1
kind: List
metadata:
resourceVersion: ""
selfLink: ""

使用serviceaccount

标签：用户名,name,ratel,rbac,Dashboard,io,k8s,authorization
来源： https://www.cnblogs.com/RRecal/p/15700603.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。