基本说明
在生产环境使用k8s以后,大部分应用都实现了高可用,不仅降低了维护成本,也简化了很多应用的部署成本,但是同时也带来了诸多问题。比如开发可能需要查看自己的应用状态、连接信息、日志、执行命令等。
使用k8s后,业务应用以Pod为单位,不像之前的以服务器为单位,可以直接通过登录服务器进行相关操作。当业务应用使用k8s部署后,k8s官方的dashboard虽然可以进行查看日志、执行命令等基本操作,但是作为运维人员,不想让开发操作或查看自己范围之外的Pod,此时就要使用RBAC进行相关的权限配置。
k8s版本
[root@master02 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master01 Ready master 14d v1.19.16
master02 Ready master 14d v1.19.16
master03 Ready master 14d v1.19.16
node01 Ready <none> 13d v1.19.16
node02 Ready <none> 13d v1.19.16
更改Dashboard认证方式
ClusterRole: Namepasce只读、容器日志查看权限、容器命令执行权限、容器删除权限,这四个最为常用的权限
master节点操作
1.修改master节点 kube-apiserver
[root@master02 ~]# vi /etc/kubernetes/cfg/kube-apiserver.conf
--token-auth-file=/etc/kubernetes/basic_auth_file \ #在启动参数配置文件加上这个,加在末尾,要不然可能会出bug
#--basic-auth-file 大概于1.7版本停用,更新为--token-auth-file
2.修改kubernetes-dashboard命名空间下的Deployment, kubernetes-dashboard
[root@master02 ~]# kubectl edit deployment -n kubernetes-dashboard kubernetes-dashboard
spec:
affinity: {}
containers:
- args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --authentication-mode=basic# 加上这个
3.创建用户名密码配置文件。
[root@master02 ~]# cat /etc/kubernetes/basic_auth_file
test1,test1,3,"system:authentication"
test2,test2,4,"system:authentication"
test3,test3,5,"system:authentication"
test4,test4,6,"system:authentication"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: ratel-namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ratel-namespace-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authentication
#保存下来然后kubectl apply -f
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-resource-readonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ratel-pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
#保存下来 然后kubectl create -f
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-12-16T16:10:39Z"
labels:
ratel: "true"
username: test1
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:ratel: {}
f:username: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: ratel
operation: Update
time: "2021-12-16T16:10:39Z"
name: ratel-pod-delete-test1
namespace: default
resourceVersion: "1061269"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-test1
uid: 6c8817db-116c-4355-9b5f-4ed8cab4a0a4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-pod-delete
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-12-16T16:10:39Z"
labels:
ratel: "true"
username: test1
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:ratel: {}
f:username: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: ratel
operation: Update
time: "2021-12-16T16:10:39Z"
name: ratel-pod-exec-test1
namespace: default
resourceVersion: "1061268"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-test1
uid: 5d831581-cc54-4ca2-b097-702f501593f5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-pod-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test1
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-12-16T16:10:38Z"
labels:
ratel: "true"
username: test1
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:ratel: {}
f:username: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: ratel
operation: Update
time: "2021-12-16T16:10:38Z"
name: ratel-resource-readonly-test1
namespace: default
resourceVersion: "1061267"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-test1
uid: 9bcb54cf-1023-4a15-9c20-22d69a312f70
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-resource-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test1
kind: List
metadata:
resourceVersion: ""
selfLink: ""
使用serviceaccount