---

[CloudNative：KuberNetes&細粒度許可權控制.V17]                                                    [Applications.KuberNetes] [|k8s|細粒度許可權控制|Dashboard基於使用者密碼認證|RBAC不同使用者不同許可權|ServiceAccount許可權管理|]

---

---

一、RBAC：檢視k8s官方的dashboard

### --- k8s官方的dashboard

[root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard
service/kubernetes-dashboard        NodePort    10.103.77.223   <none>        443:31196/TCP   41h
NAME                                             READY   STATUS    RESTARTS   AGE
pod/kubernetes-dashboard-6b8bd587c8-gtwwr        1/1     Running   16         17h
 

二、沒有配置ingress，直接使用NodePort通過IP的形式去訪問

### --- 沒有配置ingress，直接使用NodePort通過IP的形式去訪問
~~~     啟動的是31196模式

[root@k8s-master01 ~]# kubectl edit svc kubernetes-dashboard -n !$
  type: NodePort
[root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard
NAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
service/kubernetes-dashboard        NodePort    10.103.77.223   <none>        443:31196/TCP   41h 
 

可以通過https://192.168.1.20:31196/訪問dashboard 三、更改dashboard的認證方式

### --- 在kube-apiserver下新增引數

[root@k8s-master01 ~]# vim /usr/lib/systemd/system/kube-apiserver.service
      --feature-gates=EphemeralContainers=true \                    // 此行下新增引數
      --basic-auth-file=/etc/kubernetes/basic_auth_file \           // 新增此引數
      --requestheader-extra-headers-prefix=X-Remote-Extra-  \       // 此行上新增引數
 

[root@k8s-master01 RBAC+Dashboard]# vim /etc/kubernetes/basic_auth_file
 
xxx1_2019,xxx1,3,"system:authentication"
xxx2_2019,xxx2,4,"system:authentication"
xxx3_2019,xxx3,5,"system:authentication"
xxx4_2019,xxx4,6,"system:authentication" 
 
 --basic-auth-file=/etc/kubernetes/pki/basic_auth_file

---

附錄一：

### --- 參考文件：https://www.cnblogs.com/dukuan/p/11976406.html

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-pod-delete-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-delete
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-pod-exec-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: xxx1
  name: ratel-resource-readonly-xxx1
  namespace: ratel-test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-resource-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: xxx1

附錄二：

### --- 使用ClusterRole建立通用許可權，
~~~     使用roleBinding繫結到指定namespace下的User或者是指定的ServiceAccount上。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    ratel: "true"
    username: java1
  name: ratel-pod-exec-sa-java1
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-pod-exec
subjects:
- kind: ServiceAccount
  name: java1
  namespace: kube-users

---

===============================END===============================

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart                                                                                                                                                    ——W.S.Landor

---

來自為知筆記(Wiz)