kubernetes dashboard 安装及介绍

发表于 | 更新于: | 分类于
字数统计: 2.1k | 阅读时长 ≈ 11 min

通过Dashboard,用户可以查看集群中应用的运行情况,同时也能够基于Dashboard创建或修改部署、任务、服务等Kubernetes的资源,通过部署向导,用户能够对部署进行扩缩容,进行滚动更新、重启Pod和部署新应用。

安装 dashboard UI

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

查看是否安装成功:

kubectl get svc,pod --all-namespaces

NAMESPACE     NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE

...
kube-system   service/kubernetes-dashboard   ClusterIP   10.110.187.255   <none>        443/TCP         86m

NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
...
kube-system   pod/kubernetes-dashboard-57df4db6b-jjqhf   1/1     Running   8          86m

注:如果出现image pull错误,可以用私有仓库
先查看images:

cat kubernetes-dashboard.yaml | grep image
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

然后将”k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1” 替换为 “mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1”,用docker下载下来然后上传私有仓库,具体可参考(https://mp.weixin.qq.com/s/cV74onbtzTubrrhOl_Qi8w)。

Argument name Default value Description
insecure-port 9090 The port to listen to for incoming HTTP requests.
port 8443 The secure port to listen to for incoming HTTPS requests.
insecure-bind-address 127.0.0.1 The IP address on which to serve the –port (set to 0.0.0.0 for all interfaces).
bind-address 0.0.0.0 The IP address on which to serve the –secure-port (set to 0.0.0.0 for all interfaces).
default-cert-dir /certs Directory path containing ‘–tls-cert-file’ and ‘–tls-key-file’ files. Used also when auto-generating certificates flag is set. Relative to the container, not the host.
tls-cert-file - File containing the default x509 Certificate for HTTPS.
tls-key-file - File containing the default x509 private key matching –tls-cert-file.
apiserver-host - The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
api-log-level DEFAULT Set or disable API request logging.
DEFAULT sanitizes potentially sensitive URLS
DEBUG outputs all request output (even if sensitive)
NONE disables all request logging
heapster-host - The address of the Heapster to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
kubeconfig - Path to kubeconfig file with authorization and master location information.
token-ttl 15 minutes Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires.
authentication-mode token Enables authentication options that will be reflected on login screen. Supported values: token, basic. Note that basic option should only be used if apiserver has ‘–authorization-mode=ABAC’ and ‘–basic-auth-file’ flags set.
metric-client-check-period 30 seconds Time in seconds that defines how often configured metric client health check should be run.
auto-generate-certificates false When set to true, Dashboard will automatically generate certificates used to serve HTTPS.
enable-insecure-login false When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Still, it requires frontend to be accessed over HTTPS (i.e. secure nginx proxy).
system-banner - When non-empty displays message to Dashboard users. Accepts simple HTML tags.
system-banner-severity INFO Severity of system banner. Should be one of ‘INFO,WARNING,ERROR’.
disable-settings-authorizer false When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
enable-skip-login false When enabled, the skip button on the login page will be shown.

通过kube-proxy访问

kubectl proxy – 为Kubernetes API server启动代理服务器:

Options:
      --accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$': Regular expression for hosts that the proxy should accept.
      --accept-paths='^.*': Regular expression for paths that the proxy should accept.
      --address='127.0.0.1': The IP address on which to serve on.
      --api-prefix='/': Prefix to serve the proxied API under.
      --disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
      --keepalive=0s: keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable
keepalive.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods='^$': Regular expression for HTTP methods that the proxy should reject (example
--reject-methods='POST,PUT,PATCH'). 
      --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject. Paths specified here will be rejected even accepted by --accept-paths.
  -u, --unix-socket='': Unix socket on which to run the proxy.
  -w, --www='': Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.

Usage:
  kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

因为为了在不同服务器上可以访问到,因此要设置--accept-hosts--address两个参数。

kubectl proxy --address='0.0.0.0' --port=8001 --accept-hosts='^localhost$,^192\.168\.1\.122$'

构建登陆访问权限

打开地址http://192.168.1.122:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/:

可以在浏览器访问,官方提供了两种认证方式,一种是kubeconfig,一种是令牌token。

token令牌登陆

k8s各服务有自己的token:

kubectl get secret -n kube-system

NAME                                             TYPE                                  DATA   AGE
attachdetach-controller-token-8kh8n              kubernetes.io/service-account-token   3      21h
bootstrap-signer-token-htm5l                     kubernetes.io/service-account-token   3      21h
bootstrap-token-ngcxcv                           bootstrap.kubernetes.io/token         7      21h
calico-node-token-4wkts                          kubernetes.io/service-account-token   3      20h
certificate-controller-token-dzvlt               kubernetes.io/service-account-token   3      21h
clusterrole-aggregation-controller-token-qpvfv   kubernetes.io/service-account-token   3      21h
coredns-token-hdk66                              kubernetes.io/service-account-token   3      21h
cronjob-controller-token-tmvgn                   kubernetes.io/service-account-token   3      21h
daemon-set-controller-token-wxfbl                kubernetes.io/service-account-token   3      21h
default-token-67lzs                              kubernetes.io/service-account-token   3      21h
deployment-controller-token-ps2sn                kubernetes.io/service-account-token   3      21h
disruption-controller-token-qhncp                kubernetes.io/service-account-token   3      21h
endpoint-controller-token-mq29n                  kubernetes.io/service-account-token   3      21h
expand-controller-token-qv82t                    kubernetes.io/service-account-token   3      21h
generic-garbage-collector-token-4bklk            kubernetes.io/service-account-token   3      21h
horizontal-pod-autoscaler-token-4nn7k            kubernetes.io/service-account-token   3      21h
job-controller-token-hmjcx                       kubernetes.io/service-account-token   3      21h
kube-proxy-token-phvpr                           kubernetes.io/service-account-token   3      21h
kubernetes-dashboard-certs                       Opaque                                0      143m
kubernetes-dashboard-csrf                        Opaque                                1      143m
kubernetes-dashboard-key-holder                  Opaque                                2      76m
kubernetes-dashboard-token-tpvvp                 kubernetes.io/service-account-token   3      143m
namespace-controller-token-9jm46                 kubernetes.io/service-account-token   3      21h
node-controller-token-lvw87                      kubernetes.io/service-account-token   3      21h
persistent-volume-binder-token-sn2zf             kubernetes.io/service-account-token   3      21h
pod-garbage-collector-token-gmwb6                kubernetes.io/service-account-token   3      21h
pv-protection-controller-token-r566m             kubernetes.io/service-account-token   3      21h
pvc-protection-controller-token-sh8x9            kubernetes.io/service-account-token   3      21h
replicaset-controller-token-bd724                kubernetes.io/service-account-token   3      21h
replication-controller-token-h7bt6               kubernetes.io/service-account-token   3      21h
resourcequota-controller-token-qrj5l             kubernetes.io/service-account-token   3      21h
service-account-controller-token-5brbw           kubernetes.io/service-account-token   3      21h
service-controller-token-ln82n                   kubernetes.io/service-account-token   3      21h
statefulset-controller-token-b9jlj               kubernetes.io/service-account-token   3      21h
token-cleaner-token-9lzqb                        kubernetes.io/service-account-token   3      21h
ttl-controller-token-58rdc                       kubernetes.io/service-account-token   3      21h

我们通过kubectl describe secret可以看到具体服务的token:

kubectl describe secret deployment-controller-token-ps2sn -n kube-system
Name:         deployment-controller-token-ps2sn
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: deployment-controller
              kubernetes.io/service-account.uid: e3dff2a1-2095-11e9-b54b-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tcHMyc24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTNkZmYyYTEtMjA5NS0xMWU5LWI1NGItNTI1NDAwMzAwOGFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.d_GQotLp38_5GOMCHy2sn9zvgTThnSo4cUN5PkRbKyLtT16zl1MtFadOogLc7iVllNgDGAzHHAbo73m35gi1j0H_o0A742wZq4gLS-06r4UPfhpU9IoGhYZusYOY-RvBkjm7PZbKhudxwStdP44HhwaqdoX2wMwZgT8mrVd74VEs988zPEaM-QAKYLhYgOEAlEFvXnFfzm2dRD9LtK7m1JrlmevmtONfucEPpJiVuAhYBYq31KZ6YOya0Py8tInd8S-9_pmBmNVCYE2MzyFLWJ5uJhmdefqNWwTgKaKHWOsczqDecnRaSuF97Qje7udwVeVjNTeCwUzOZAfPlHLe-Q

但每个服务的token都权限都不同,不一定符合我们的需求,因此我们需要建立自己的ClusterRole,并赋予权限。

创建user-shikanon.yaml文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-shikanon
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: user-shikanon
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: user-shikanon
  namespace: kube-system

启动服务:

[root@master ~]# kubectl create -f user-shikanon.yaml

serviceaccount/user-shikanon created
clusterrolebinding.rbac.authorization.k8s.io/user-shikanon created

查看user-shikanon服务的token:

[root@master ~]# kubectl describe secret user-shikanon --namespace=kube-system
Name:         user-shikanon-token-6t5rd
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: user-shikanon
              kubernetes.io/service-account.uid: f290b948-2149-11e9-a469-5254003008ab

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ1c2VyLXNoaWthbm9uLXRva2VuLTZ0NXJkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXItc2hpa2Fub24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMjkwYjk0OC0yMTQ5LTExZTktYTQ2OS01MjU0MDAzMDA4YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06dXNlci1zaGlrYW5vbiJ9.Ap6MY85X38mVGXqEe7T8UW-RHNXWWJZ06eKKXMKutRJUKDNcfKKV0Y1o_CsWLfSNjqNjRCoTYs4x73vHwo6LkrXrzKoyh7VZytcMxpwV7FiLAMU0OFia179WROAIEpvZ1AsK94X2NM3zBS4I3pVNK_OLM4wuOBLcX9bkFscBRufs3SvgtA64t8_vq4udgoQdERdnK3EiPBgpZEjnGQIK_o-kgGKviXhS892r2QD9y_YlrFyY6Gu4xPRew_k2jPpFpZNyjYp3pKWw6DnGKBN39M7T5igLnSXJEQGp1mXgYrgWBL-IQeWtRTVcpBIeRFa5AoPMfPcv5x4AsWHK_rF1_A

kubeconfig登陆

在.kube/config找到kubeconfig文件,或者重新创建一个kubeconfig文件,在config文件末尾加上一个token字段即可:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ERXlOVEV4TXpneU1Wb1hEVEk1TURFeU1qRXhNemd5TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTERlCnVEYkNXSTVnMUhjaithdFVDdmlEK3dlM054VnVkV28rVWMvbWJFV3lyemM3WFp1RGdJZHNqNXRpV3hmMWNDVGYKeW9qU21OcC9ldmtUa2YxSGIzSmJOYjhFNG5oSE1TdzMwQkpNd1JxbTZaMVdQRnArNkRUdlZzT25CVnlDY1FRNwo0MEJWTnpyOTdXMTlkRi9JYXp4ODBqblRVT3NJNFczMXE3QkEvZ2E0anZVRnZQbnY3TVU5dm1XeCt4NWRJVmoyCjRDY1NzV0hBNVpiNm1RU050WlNtTWIxYnFZa0NHVGdPbWkrWDhDQzVaZmRtU1BmWmRUdlhOMlJVdzdmVXRZdlMKYTJuL3JwZFFzZ0s0NEthQXRHSmhta1dFci9hbkpVa1FlTEpMdjRpYVZXVnpHWEV0SkRqZkY1T0x6YVlvd2JpbApwT3hjMUIyTzk2TWV4NzljOHVVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHcC92MURIUlV1ODBiSjVKQy81eHRJVEVCelYKeVZZd1d2NUpsNDRkMFhVdlJqV2FOUXF5TUYwRVJYYXBjMWdSVjV1WitROWxUN3JPcVgvWlozNHFoSS9tdmhNRgpyRUh6NW9yK09waS9HNFYwK20xYysxOE9ya3h2ZHJjcFVYa1ArVW5kM09lV0VrUjNHREhxcU5YVHlEcWZybWR2Cmh2NTNwQ0F2NkFOKzRJUWJxd3RsWU5GZWhHN09IdEl4ZDdGSFJHcGZKTTFlUXJ3M09sYzhreDVkSkltS0tPYXgKZm9uVzBkOXdOTmVhVlVDMmh4cFFWVFlJbjBXamUxcGtVTEdUaTVqcjZZL2tBZ0hhU1BKNTR5TFhzbzhMTHBvVApGMEN0TnRWOG8zczQ2Z0ZvMW1uQUQxYXh1WjlnTTNUZTcrSkNnRVlhTlgxak1SMVFwWFpraysydGYzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.1.120:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVHB1b3ZjbElYdVV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBeE1qVXhNVE00TWpGYUZ3MHlNREF4TWpVeE1UTTRNakphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBPMlZMVDhENlIwVFMyRFoKb0tOZGlBcVJ3amVkWlo4Y29FdVBneTZpNlVReU9qQUt4OVZaeVJ6bWIyTWU1aFpHSXdLVGcyNW92YWw3ZWY4RApwc2FqYUhOa2NZSVd6S0Y0Yks0ZGtndlRudE5yUGxpazA5WFQxWTAwZUF0ZmpySjMrZWwzcEd1eGFPWENzZVQ3CjVLR0pINkdWWllpeGhMekF4bnpGd3lpdlFFcDVjVFl1RVhvZUZnOXBTekRhRFV5M2orUnBqRWhEdjdraVZpWGQKTE5yVGg0ZFB2ZWZhd21KTE8yYk9qUkI5MDB4dkpLMkF2NmtiV0M0U2wzQnF1SjhyVERoM21IeDQzOXVSNnpDZgpsNkYrbC9qRVBBRFJQQzVrTEJhUzVMT3JmcFlBM244MWNKYVRVeWROeGtIbDkzVTZiSnNQNXhPblBrOFpxUC9iClNhaWVrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJRVl0MjBQVDJnWm1UMmx3amYyYjIvdGc0OUJMNFJObTl4dgp1RkVmK3F1SklqcHJpMFV0TVJUZE5lV2ZiZTJvZWMrbm1SNk5CSGhUMnlhYVMrQjJ5SUZvOVVWckZENXdYVUsrCnVVN0NCRk55cHZRTzlHVXJYaGFYa1lKUkJNQ21XM2d6T1RqdXVFaGNMd0lHZGRWdlI4Wkh5M245Y084czAzU2sKUmtuMlZmL0hjQnRvbnRUWENGTXpidFA0UnZnYXlMN2c5NGpsN25OQ1hBVEU1K1h5OHZKcm5NSXhUbVQwTnVFNgpBVG43RG1Hb2V0Q2kySnJqZFpqcUR5N3FqbjhOZGQ1Qmh4OWkvWThyTXVWTC9GTWIrRVk4SzM3U2IxTmM1U21rCkNtUjNGakZZYjJUVDRZeHdtMWFPM0Rvd0lOWDVDdkd4aTNHS0F4QjJydGZQSUpLOEhydz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBME8yVkxUOEQ2UjBUUzJEWm9LTmRpQXFSd2plZFpaOGNvRXVQZ3k2aTZVUXlPakFLCng5Vlp5UnptYjJNZTVoWkdJd0tUZzI1b3ZhbDdlZjhEcHNhamFITmtjWUlXektGNGJLNGRrZ3ZUbnROclBsaWsKMDlYVDFZMDBlQXRmanJKMytlbDNwR3V4YU9YQ3NlVDc1S0dKSDZHVlpZaXhoTHpBeG56Rnd5aXZRRXA1Y1RZdQpFWG9lRmc5cFN6RGFEVXkzaitScGpFaER2N2tpVmlYZExOclRoNGRQdmVmYXdtSkxPMmJPalJCOTAweHZKSzJBCnY2a2JXQzRTbDNCcXVKOHJURGgzbUh4NDM5dVI2ekNmbDZGK2wvakVQQURSUEM1a0xCYVM1TE9yZnBZQTNuODEKY0phVFV5ZE54a0hsOTNVNmJKc1A1eE9uUGs4WnFQL2JTYWlla3dJREFRQUJBb0lCQURDdE9kVloyaXBreU1zRwpISTR0b2F3QmNtWkNtTnhGVHVFVjJiRGhtN2tuVjJCeE13SE45bVpCNG5wUEtMTEl1N3lLYkIzeUNsc3Q4b1BBCjQzUG0wY21USVBMRk1WU3B4aW5rQXlXMHRiQktaN0VWN0FraXg0RDRyaUhOM0l5ZGpoQmUwYTR3SFJ4b2M0MEkKNFpzcCs0MndFdU9lRG1YenFDSldqYWpqZ0xsRWRQUWtiM1RmQkx0amNOakdEclVKS1VLcmJLa3gzb2NlUmVNNgpRcG1oVUJSYk1LSGZzVWdLUEFkaDdtTTJYUDlGTG1rNmMyWlBWZWE2dld2eFpMd2kxSzJXZUpJblVicXYyYy9wCkFaQ0VUdmNKTEttSTFmMFRxeGY1WXlVK29FZXlJQUJta2RvMkhWMHcwUEF4OGw5V1U1T2dacVVQS1lPVHVlL2YKMWsva2ttRUNnWUVBNlJYYVE4Y1hjUTJIeDR1dE5abUJJbXlObDM5eVNGeG94bEJaNWgvY3VWdk1ncS9nbjFXRApWaVIwajJ0Uk41QzdPZzU0Mnh1dXNwR1RqWWxyRDhDM1YwN0ZpM0E3NTkxMUpOMzRsVnpPdHhLem94dk12RmFsCmV0bVNmUnBETUdIL08xN3NsTnowdi9DVDNUNENKbzA2Q3hpZHNKVW01UGc4NG5MSmI3eGl6M0VDZ1lFQTVYZkIKRGU0UVhJeTZEMXhQdWcvbjJGYklVaDErRElvdVNuWFRIRGtKejB5blViQ0UwdGZ1RC9qUmhmTHcwSUIyMjBmOAplRzA1a0RFS1I0TVoyVXFSdUpaZWUybUdLZis5eVFSaTRzbVNPT0x3ZDFkbjBBNlJKQUppR1ROUWhDQmF3UmpKCm9kckZVNUtmejR1QTZGcE8vS2w2M0h5N1RtelFOMUd0MTFoUGxFTUNnWUI4dmdjNzh0Y20xL2pzNEdIb3A2aW0KeGJYWmVJbXZGRlcybk5ZZ0JMbGFNamozVUMxRTJMMGJZeE5HbGthM0dDdzdXL2R1UEJoNDFOUkZFV0JNNC9TNwpNeHNpRHdUZ2lITGpNakNScjBPcVVzWDA2ekhkTWZvS0Qxc0l2UDlzYTJYdlhsUDdMMjJGTTduTzFCck9peEtmClVhTkRGKy9pNXIrZTZaUEl5dWVPNFFLQmdFVEFvTU0vdFA5RjJ1bUhTd3dBZ0FLOTNiOWN2c3ViQzB1Y0NlakcKM2oyU1JmK2YxK3drYmx1eXZYUlkyZlpleHoza1Q2ejFiTzNiQTYxeGhta29nb2kvNVFjdEV0bTZtbTZFTmV5bApZSDVTNEtHaE9xV0g5OHpHT2dZNjdjRG93TWhpV09kNTJPMjFYTlNlZzcwYWNkZ2FING00aFpaMTI5ejNTQkxoCmp0WnBBb0dBWEtRQjJBRk52cnRnWEg2MHFCRWJPaG9kZ2ZXRVA2QmtrNUpZSzY1U2o1ZFRaTmZlOG9JU3FKbFAKR0dlQnZMV1dVVUhScmMyUFpEcFpZTDJ4NGRvYndoWDJkYWJOWEFsQTFZczZJZmM2OG9oaWxpdm1PbktGRXBBMAo5RDJ6VXBqa0NzS3EybDFVSW9WczJSbTZ1dDJKcXB1WWs4SHJ3Z1BpYWtsclJtZ3FYbUU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    token: eyJhbGciOiJSUzI1NiIsIm

RBAC权限控制

Role 和 ClusterRole类型的权限控制

Role 只能用于授予对单个命名空间中的资源访问权限,在 RBAC API 中,Role 表示一组规则权限,权限只会增加(累加权限),不存在一个资源一开始就有很多权限而通过 RBAC 对其进行减少的操作。Role 可以定义在一个 namespace 中,如果想要跨 namespace 则可以创建 ClusterRole, ClusterRole 是集群级别的。

Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding 和 ClusterRoleBinding 类型的权限控制

RoloBinding 可以将角色中定义的权限授予用户或用户组,RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users, groups, or service accounts);RoloBinding 同样包含对被 Bind 的 Role 引用;RoleBinding 适用于某个命名空间内授权,而 ClusterRoleBinding 适用于集群范围内的授权。

RoleBinding:

# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding:

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
shikanon wechat
欢迎您扫一扫,订阅我滴↑↑↑的微信公众号!