kubernetes daahboard权限限制
2021-05-23 08:29
标签:注意 update ice clu upd resource style heap delete dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。 注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式 3:将ClusterRole和ServiceAccount互相绑定 4:deployment加入ServiceAccount权限 5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限 kubernetes daahboard权限限制 标签:注意 update ice clu upd resource style heap delete 原文地址:http://www.cnblogs.com/ssss429170331/p/7686191.html
1:创建对应权限的ClusterRole(这里主要值允许pods被删除)kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: dashboard
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list", "create","proxy","update"]
- apiGroups: ["*"]
resources: ["pods"]
verbs: ["delete"]
2:创建 ServiceAccountapiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard
namespace: kube-system
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: dashboard-extended
subjects:
- kind: ServiceAccount
name: dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: dashboard
#name: cluster-admin #默认cluster-admin代表开放全部权限
apiGroup: rbac.authorization.k8s.io
spec.template.spec.serviceAccountName:dashboardapiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: heapster-extended
subjects:
- kind: ServiceAccount
namespace: kube-system
name: heapster
roleRef:
kind: ClusterRole
name: system:heapster
apiGroup: rbac.authorization.k8s.io