zoukankan      html  css  js  c++  java
  • kubernetes daahboard权限限制

    dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。
    1:创建对应权限的ClusterRole(这里主要值允许pods被删除)

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    metadata:
      name: dashboard
    rules:
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["get", "watch", "list", "create","proxy","update"]
    - apiGroups: ["*"]
      resources: ["pods"]
      verbs: ["delete"]

    注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式


    2:创建 ServiceAccount

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: dashboard
      namespace: kube-system

    3:将ClusterRole和ServiceAccount互相绑定

    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    metadata:
      name: dashboard-extended
    subjects:
      - kind: ServiceAccount
        name: dashboard
        namespace: kube-system
    roleRef:
      kind: ClusterRole
      name: dashboard
      #name: cluster-admin #默认cluster-admin代表开放全部权限
      apiGroup: rbac.authorization.k8s.io

    4:deployment加入ServiceAccount权限
    spec.template.spec.serviceAccountName:dashboard

    5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: heapster
      namespace: kube-system
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    metadata:
      name: heapster-extended
    subjects:
      - kind: ServiceAccount
        namespace: kube-system
        name: heapster
    roleRef:
      kind: ClusterRole
      name: system:heapster
      apiGroup: rbac.authorization.k8s.io
  • 相关阅读:
    laravel打印SQL语句
    php扩展打开不起作用的原因, php数字显示2147483647的原因
    opacity与rgba
    package.json中devDependencies与dependencies的区别
    FileReader读取文件
    Vue双向绑定原理详解
    Vue2入门路线及资源
    gulp入门实践
    浏览器版本识别
    this用法
  • 原文地址:https://www.cnblogs.com/ssss429170331/p/7686191.html
Copyright © 2011-2022 走看看