|NO.Z.00233|——————————|^^ 失敗 ^^|——|KuberNetes&細粒度許可權控制.V17|------------------------------------------------|RBAC.v00|dashboard|
阿新 • • 發佈:2022-03-31
[CloudNative:KuberNetes&細粒度許可權控制.V17] [Applications.KuberNetes] [|k8s|細粒度許可權控制|Dashboard基於使用者密碼認證|RBAC不同使用者不同許可權|ServiceAccount許可權管理|]
一、RBAC:檢視k8s官方的dashboard
二、沒有配置ingress,直接使用NodePort通過IP的形式去訪問### --- k8s官方的dashboard [root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard service/kubernetes-dashboard NodePort 10.103.77.223 <none> 443:31196/TCP 41h NAME READY STATUS RESTARTS AGE pod/kubernetes-dashboard-6b8bd587c8-gtwwr 1/1 Running 16 17h
可以通過https://192.168.1.20:31196/訪問dashboard 三、更改dashboard的認證方式### --- 沒有配置ingress,直接使用NodePort通過IP的形式去訪問 ~~~ 啟動的是31196模式 [root@k8s-master01 ~]# kubectl edit svc kubernetes-dashboard -n !$ type: NodePort [root@k8s-master01 ~]# kubectl get svc,po -n kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes-dashboard NodePort 10.103.77.223 <none> 443:31196/TCP 41h
### --- 在kube-apiserver下新增引數 [root@k8s-master01 ~]# vim /usr/lib/systemd/system/kube-apiserver.service --feature-gates=EphemeralContainers=true \ // 此行下新增引數 --basic-auth-file=/etc/kubernetes/basic_auth_file \ // 新增此引數 --requestheader-extra-headers-prefix=X-Remote-Extra- \ // 此行上新增引數
[root@k8s-master01 RBAC+Dashboard]# vim /etc/kubernetes/basic_auth_file
xxx1_2019,xxx1,3,"system:authentication"
xxx2_2019,xxx2,4,"system:authentication"
xxx3_2019,xxx3,5,"system:authentication"
xxx4_2019,xxx4,6,"system:authentication"
--basic-auth-file=/etc/kubernetes/pki/basic_auth_file
附錄一:
### --- 參考文件:https://www.cnblogs.com/dukuan/p/11976406.html
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
ratel: "true"
username: xxx1
name: ratel-pod-delete-xxx1
namespace: ratel-test1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-pod-delete
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
ratel: "true"
username: xxx1
name: ratel-pod-exec-xxx1
namespace: ratel-test1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-pod-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: xxx1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
ratel: "true"
username: xxx1
name: ratel-resource-readonly-xxx1
namespace: ratel-test1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-resource-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: xxx1
附錄二:
### --- 使用ClusterRole建立通用許可權,
~~~ 使用roleBinding繫結到指定namespace下的User或者是指定的ServiceAccount上。
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
ratel: "true"
username: java1
name: ratel-pod-exec-sa-java1
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-pod-exec
subjects:
- kind: ServiceAccount
name: java1
namespace: kube-users
===============================END===============================
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor
來自為知筆記(Wiz)