Shulou(Shulou.com)06/02 Report--

Add permission control for Kubernetes dashboard access users

[TOC]

1. Demand

To create application deployment management permissions for developers in the development environment, you can log in using dashboard's token and kubeconfig files, and install the kubectl command on the developer's machine, using the kubectl port-forward command.

two。 Scheme

Because we use dashboard and kubeapps, their rbac permissions have to be assigned.

Create namespace:dev

Create ServiceAccount:dev-user1

Give the appropriate permissions and bind ServiceAccount.

3. Implementation 3.1 assigning dashboard permissions

Kubectl apply-f dev-user1.yaml

-- # ServiceAccountapiVersion: v1kind: ServiceAccountmetadata: name: dev-user1 namespace: dev---# rolekind: rbac.authorization.k8s.io/v1metadata: namespace: dev name: role-dev-user1rules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "delete", "update", "patch"]-apiGroups: [""] resources: ["pods/portforward" "pods/proxy"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]-apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list", "watch", "delete"]-apiGroups: ["extensions", "apps"] resources: ["deployments"] verbs: ["get", "list", "watch" "create", "update", "patch", "delete"]-apiGroups: [""] resources: ["namespaces"] verbs: ["get", "watch", "list"]-apiGroups: ["] resources: [" events "] verbs: [" get "," watch "," list "]-apiGroups: [" apps "," extensions "] resources: [" replicasets "] verbs: [" get "," watch " "list", "create", "update", "pathch", "delete"]-apiGroups: [""] resources: ["configmaps"] verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]-apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "watch" "list"]-apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"]-apiGroups: ["] resources: [" services "] verbs: [" get "," watch "," list "," create "," update "," pathch "," delete "]-apiGroups: [extensions"] resources: ["ingresses"] verbs: ["get", "watch" "list"]-apiGroups: ["apps"] resources: ["daemonsets"] verbs: ["get", "watch", "list"]-apiGroups: ["batch"] resources: ["jobs"] verbs: ["get", "watch", "list"]-apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get", "watch" "list"]-apiGroups: [""] resources: ["replicationcontrollers"] verbs: ["get", "watch", "list"]-apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["get", "watch", "list"]-apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch" "list"]-# role bindkind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: role-bind-dev-user1 namespace: devsubjects:- kind: ServiceAccount name: dev-user1 namespace: devroleRef: kind: Role name: role-dev-user1 apiGroup: rbac.authorization.k8s.io#---## clusterrole#kind: ClusterRole#apiVersion: rbac.authorization.k8s.io/v1#metadata:# namespace: dev# name: clusterrole-dev-user1#rules:#- apiGroups: [ ""] # resources: ["namespaces"] # verbs: ["get" "watch" "list"] # #-# clusterrole bind#kind: ClusterRoleBinding#apiVersion: rbac.authorization.k8s.io/v1#metadata:# name: clusterrole-bind-dev-user1# namespace: dev#subjects:#- kind: ServiceAccount# name: dev-user1# namespace: dev#roleRef:# kind: ClusterRole# name: clusterrole-dev-user1# apiGroup: rbac.authorization.k8s.io3.2 assign kubeapps permission kubectl apply-f https://raw.githubusercontent.com/kubeapps/ Kubeapps/master/docs/user/manifests/kubeapps-applications-read.yamlkubectl create-n dev rolebinding dev-user1-view\-- clusterrole=kubeapps-applications-read\-- serviceaccount dev:dev-user1export KUBEAPPS_NAMESPACE=kubeappskubectl apply-n $KUBEAPPS_NAMESPACE-f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yamlkubectl create-n dev rolebinding dev-user1-edit\-- clusterrole=edit\-- serviceaccount dev:dev-user1kubectl create-n $KUBEAPPS_NAMESPACE rolebinding dev1- User1-kubeapps-repositories-read\-role=kubeapps-repositories-read\-serviceaccount dev:dev-user1

Token acquisition:

Kubectl get-n dev secret $(kubectl get-n dev serviceaccount dev-user1-o jsonpath=' {.token [] .name}')-o jsonpath=' {.data.token}'| base64-- decode3.3 generates kubeconfig

Access kube-apiserver through token

# create kubectl config file # set cluster parameter kubectl config set-cluster kubernetes\-- insecure-skip-tls-verify=true\-- server= "https://192.168.105.99:8443"# set client authentication parameter kubectl config set-credentials dev-user1\-- token=' the token' # set context parameter kubectl config set-context kubernetes\-- cluster=kubernetes\-- user=dev-user1\-- obtained above Namespace=dev # sets the default context kubectl config use-context kubernetes

Be careful

Specify a path when configuring kubeconfig to avoid overwriting the existing configuration,-- kubeconfig=configpath

You can also create the file config directly and modify the content.

ApiVersion: v1clusters cluster: insecure-skip-tls-verify: true server: https://192.168.105.99:8443 name: kubernetescontexts:- context: cluster: kubernetes namespace: dev user: dev-user1 name: kubernetescurrent-context: kuberneteskind: Configpreferences: {} users:- name: dev-user1 user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh3r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v4. Test verification

Windows kubectl command installation

Command download:

Https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe

Then put it in the system PATH directory, such as c:\ Windows

When using the command, you can use cmd, powershell, or other command prompt line tools. Git Bash is recommended because Git has been installed and this tool is installed.

Kubeconfig file

Kubeconfig file, that is, the config file generated in the above file.

The file name is config, and the file is placed under ~ / .kube / (~ is the user's home directory), because the kubectl command reads this file by default, otherwise every time you use the kubectl command, you need to specify it with the parameter-- kubeconfig=configpath.

Kubectl get pod-n devkubectl port-forward svc/dev-mysql-mysqlha 3306 dev 3306 dev

Reference:

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/

[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/

[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md

[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config

[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.