Shulou(Shulou.com)06/01 Report--

This article shows you how to use the k8s user management tool Permissionmanager, which is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Permission Manager

Permission Manager is a project that provides Web UI for Kubernetes RBAC and user management, and provides a friendly visual interface for Kubernetes rights management.

Installation

Download the yaml file from https://github.com/sighupio/permission-manager/tree/master/deployments/kubernetes as follows

[root@qd01-stop-k8s-master001 kubernetes] # ll total 4-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml drwxr-xr-x 2 root root 37 Jan 28 11:14 seeds

Create namespace

[root@qd01-stop-k8s-master001 kubernetes] # kubectl create namespace permission-manager namespace/permission-manager created

Create a secret and update it accordingly

[rancher@qd01-stop-k8snode011 permission-manager] $cat secret.yaml

-

ApiVersion: v1

Kind: Secret

Metadata:

Name: permission-manager

Namespace: permission-manager

Type: Opaque

StringData:

PORT: "4000" # port where server is exposed

CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file

CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file

BASIC_AUTH_PASSWORD: "Admin" # password used by basic auth (username is `admin`)

[root@qd01-stop-k8s-master001 kubernetes] # kubectl apply-f secret.yaml secret/permission-manager created

Deployment

[root@qd01-stop-k8s-master001 seeds] # kubectl apply-f crd.yml Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16, unavailable in v1.22 + Use apiextensions.k8s.io/v1 CustomResourceDefinition customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created [root@qd01-stop-k8s-master001 seeds] # kubectl apply-f seed.yml clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created clusterrole.rbac.authorization.k8s.io/template-cluster- Resources___admin created [root@qd01-stop-k8s-master001 kubernetes] # kubectl apply-f deploy.yml service/permission-manager created deployment.apps/permission-manager created serviceaccount/permission-manager created clusterrole.rbac.authorization.k8s.io/permission-manager created Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17 + Unavailable in v1.22 + Use rbac.authorization.k8s.io/v1 ClusterRoleBinding clusterrolebinding.rbac.authorization.k8s.io/permission-manager created

The permission-manager is deployed above, and the Warning information can be ignored or the api version in the yaml file can be modified to rbac.authorization.k8s.io/v1.

Expose services using ingress

Create ingress.yaml

ApiVersion: networking.k8s.io/v1

Kind: Ingress

Metadata:

Name: permission-manager-ingress

Namespace: permission-manager

Annotations:

Kubernetes.io/ingress.class: nginx

Spec:

Rules:

-host: permission.kubeops.net

Http:

Paths:

-pathType: Prefix

Path: /

Backend:

Service:

Name: permission-manager

Port:

Number: 4000

[root@qd01-stop-k8s-master001 kubernetes] # kubectl apply-f ingress.yaml [root@qd01-stop-k8s-master001 kubernetes] # kubectl get ing-n permission-manager Warning: extensions/v1beta1 Ingress is deprecated in v1.14, unavailable in v1.22 + Use networking.k8s.io/v1 Ingress NAME CLASS HOSTS ADDRESS PORTS AGE permission-manager-ingress permission.kubeops.net 10.26.29.202,10.26.29.203 80 4m8s

Add your own dns resolution, then the browser accesses permission.kubeops.net and logs in with the username and password (set in secret)

Log in

Currently there are no users, we can create a normal user test

Create a user

Click Create New User

Fill in the relevant information

Then click Save.

You can view the generated config file under the user information

test

Save the config file and then use this configuration file to access the cluster

Here I copy the config file locally, rename it to scofield, and use the kubectl test

[root@qd01-stop-k8s-master001 kubernetes] # kubectl-kubeconfig=scofield get po No resources found in default namespace. [root@qd01-stop-k8s-master001 kubernetes] # kubectl-kubeconfig=scofield get po-n argo Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "in the namespace" argo "

As you can see from the above output, the two namespace I queried are default and argo, respectively, but only the default namespace has permissions, while the argo namespace does not have permission to operate. This is consistent with the permissions we give to create users.

The above is how to use Permissionmanager, a user management tool for K8s. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.