kubernetes daahboard权限限制
dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。1:创建对应权限的ClusterRole(这里主要值允许pods被删除)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io
/v1alpha1
metadata:
name: dashboard
rules:
- apiGroups: ["*"] resources: [
"*"] verbs: [
"get", "watch", "list", "create","proxy","update"]
- apiGroups: ["*"] resources: [
"pods"] verbs: [
"delete"]
注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式
2:创建 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard
namespace: kube-system
3:将ClusterRole和ServiceAccount互相绑定
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io
/v1alpha1
metadata:
name: dashboard
-extended
subjects:
- kind: ServiceAccount name: dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: dashboard
#name: cluster
-admin #默认cluster-admin代表开放全部权限 apiGroup: rbac.authorization.k8s.io
4:deployment加入ServiceAccount权限
spec.template.spec.serviceAccountName:dashboard
5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io
/v1alpha1
metadata:
name: heapster
-extended
subjects:
- kind: ServiceAccountnamespace: kube-system name: heapster
roleRef:
kind: ClusterRole
name: system:heapster
apiGroup: rbac.authorization.k8s.io
页:
[1]