上一節我們講解到了如何限制用戶訪問dashboard的權限,這節我們講解一個案例:如何創建一個只讀權限的用戶.
雖然可以根據實際情況靈活創建各種權限用戶,但是實際生產環境中往往只需要兩個就行了一個是前面創建的擁有集群所有權限的用戶,另一個是一個擁有只讀權限的普通用戶.把只讀權限分配給開發人員,使得開發人員也可以很清楚地看到自己的項目運行的狀況.
在進行本章節之前,大家可以思考一下怎么用前面的知識來實現,大家可能都有思路,但是要真正的實現起來也不是一簡非常容易的事,可能需要進行多輪修改和測試.實際上,kubernetes里有一個默認的叫作view的clusterrole,它其實就是一個有只讀權限的的角色.我們來看一下這個角色
[centos@k8s-master ~]$ kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
[centos@k8s-master ~]$
可以看到,它對擁有的漿糊的訪問權限都是get list和和watch,也就是都是不可以進行寫操作的權限.這樣我們就可以像最初把用戶綁定到cluster-admin一樣,新創建一個用戶,綁定到默認的view role上.
kubectl create sa dashboard-readonly -n kube-system
kubectl create clusterrolebinding dashboard-readonly --clusterrole=view --serviceaccount=kube-system:dashboard-readonly
通過以上命令我們創建了一個叫作dashboard-readonly的用戶,然后把它綁定到view這個role上.我們可以通過kubectl describe secret -n=kube-system dashboard-readonly-token-隨機字符串(可以通過kubectl get secret -n=kube-system把所有的secret都列出來,然后找到具體的那一個)查看dashboard-readonly用戶的secret,里面包含token,我們把token復制到dashboard登陸界面登陸.
我們隨便進到一個deployment里面,可以看到,左上角仍然有scale,edit和delete這些權限,其實不用擔心,你如果嘗試edit和scale的時候,雖然沒有提示,但是操作是不成功的,如果你點擊了delete,則會出現一個錯誤提示,如下圖,提示dashboard-readonly用戶沒有刪除的權限
手動創建一個具有真正意義上的只讀權限用戶
以前我們通過把用戶綁定到view這個角色上創建了一個具有只讀權限的用戶,但是實際上你會發現,這個用戶並不是一個完全意義上的只讀權限用戶,它是沒有cluster級別的一些權限的,比如Nodes,persistent volumes等權限,比如我們點擊左側的Nodes標簽,就會出現以下提示:
下面我們來手動創建一個對cluster級別的資源也有只讀權限的用戶
首先,我們先創建一個名叫作
kubectl create sa dashboard-real-readonly -n kube-system
下面我們來創建一個叫作dashboard-viewonly的clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-viewonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- nodes
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch
然后把它綁定到dashboard-real-readonly ServiceAccount上
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dashboard-viewonly
subjects:
- kind: ServiceAccount
name: dashboard-real-readonly
namespace: kube-system
后面就是獲取這個用戶的token進行登陸了,我們已經有多次講到過,本章節前面部分也有,大家可以參照一下,這里就不再贅述了.