上一節我們講解到了如何限制使用者訪問dashboard的許可權,這節我們講解一個案例:如何建立一個只讀許可權的使用者.
雖然可以根據實際情況靈活建立各種許可權使用者,但是實際生產環境中往往只需要兩個就行了一個是前面建立的擁有叢集所有許可權的使用者,另一個是一個擁有隻讀許可權的普通使用者.把只讀許可權分配給開發人員,使得開發人員也可以很清楚地看到自己的專案執行的狀況.
在進行本章節之前,大家可以思考一下怎麼用前面的知識來實現,大家可能都有思路,但是要真正的實現起來也不是一簡非常容易的事,可能需要進行多輪修改和測試.實際上,kubernetes裡有一個預設的叫作view的clusterrole,它其實就是一個有隻讀許可權的的角色.我們來看一下這個角色
[centos@k8s-master ~]$ kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
[centos@k8s-master ~]$
可以看到,它對擁有的漿糊的訪問許可權都是get list和和watch,也就是都是不可以進行寫操作的許可權.這樣我們就可以像最初把使用者繫結到cluster-admin一樣,新建立一個使用者,繫結到預設的view role上.
kubectl create sa dashboard-readonly -n kube-system
kubectl create clusterrolebinding dashboard-readonly --clusterrole=view --serviceaccount=kube-system:dashboard-readonly通過以上命令我們建立了一個叫作dashboard-readonly的使用者,然後把它繫結到view這個role上.我們可以通過kubectl describe secret -n=kube-system dashboard-readonly-token-隨機字串(可以通過kubectl get secret -n=kube-system把所有的secret都列出來,然後找到具體的那一個)檢視dashboard-readonly使用者的secret,裡面包含token,我們把token複製到dashboard登陸介面登陸.
我們隨便進到一個deployment裡面,可以看到,左上角仍然有scale,edit和delete這些許可權,其實不用擔心,你如果嘗試edit和scale的時候,雖然沒有提示,但是操作是不成功的,如果你點選了delete,則會出現一個錯誤提示,如下圖,提示dashboard-readonly使用者沒有刪除的許可權
手動建立一個具有真正意義上的只讀許可權使用者
以前我們通過把使用者繫結到view這個角色上建立了一個具有隻讀許可權的使用者,但是實際上你會發現,這個使用者並不是一個完全意義上的只讀許可權使用者,它是沒有cluster級別的一些許可權的,比如Nodes,persistent volumes等許可權,比如我們點選左側的Nodes標籤,就會出現以下提示:
下面我們來手動建立一個對cluster級別的資源也有隻讀許可權的使用者
首先,我們先建立一個名叫作
kubectl create sa dashboard-real-readonly -n kube-system下面我們來建立一個叫作dashboard-viewonly的clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-viewonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- nodes
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch然後把它繫結到dashboard-real-readonly ServiceAccount上
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dashboard-viewonly
subjects:
- kind: ServiceAccount
name: dashboard-real-readonly
namespace: kube-system後面就是獲取這個使用者的token進行登陸了,我們已經有多次講到過,本章節前面部分也有,大家可以參照一下,這裡就不再贅述了.