在生产环境使用k8s以后,大部分应用都实现了高可用,不仅降低了维护成本,也简化了很多应用的部署成本,但是同时也带来了诸多问题。比如开发可能需要查看自己的应用状态、连接信息、日志、执行命令等。
使用k8s后,业务应用以Pod为单位,不像之前的以服务器为单位,可以直接通过登录服务器进行相关操作。当业务应用使用k8s部署后,k8s官方的dashboard虽然可以进行查看日志、执行命令等基本操作,但是作为运维人员,不想让开发操作或查看自己范围之外的Pod,此时就要使用RBAC进行相关的权限配置。
[root@master02 ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master01 Ready master 14d v1.19.16 master02 Ready master 14d v1.19.16 master03 Ready master 14d v1.19.16 node01 Ready <none> 13d v1.19.16 node02 Ready <none> 13d v1.19.16
ClusterRole: Namepasce只读、容器日志查看权限、容器命令执行权限、容器删除权限,这四个最为常用的权限
1.修改master节点 kube-apiserver [root@master02 ~]# vi /etc/kubernetes/cfg/kube-apiserver.conf --token-auth-file=/etc/kubernetes/basic_auth_file \ #在启动参数配置文件加上这个,加在末尾,要不然可能会出bug #--basic-auth-file 大概于1.7版本停用,更新为--token-auth-file 2.修改kubernetes-dashboard命名空间下的Deployment, kubernetes-dashboard [root@master02 ~]# kubectl edit deployment -n kubernetes-dashboard kubernetes-dashboard spec: affinity: {} containers: - args: - --auto-generate-certificates - --namespace=kubernetes-dashboard - --authentication-mode=basic# 加上这个 3.创建用户名密码配置文件。 [root@master02 ~]# cat /etc/kubernetes/basic_auth_file test1,test1,3,"system:authentication" test2,test2,4,"system:authentication" test3,test3,5,"system:authentication" test4,test4,6,"system:authentication"
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: ratel-namespace-readonly rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ratel-namespace-readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-namespace-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authentication #保存下来然后kubectl apply -f
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-resource-readonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-exec rules: - apiGroups: - "" resources: - pods - pods/log verbs: - get - list - apiGroups: - "" resources: - pods/exec verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-delete rules: - apiGroups: - "" resources: - pods verbs: - get - list - delete #保存下来 然后kubectl create -f
apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-12-16T16:10:39Z" labels: ratel: "true" username: test1 managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ratel: {} f:username: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: ratel operation: Update time: "2021-12-16T16:10:39Z" name: ratel-pod-delete-test1 namespace: default resourceVersion: "1061269" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-test1 uid: 6c8817db-116c-4355-9b5f-4ed8cab4a0a4 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-delete subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test1 --- apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-12-16T16:10:39Z" labels: ratel: "true" username: test1 managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ratel: {} f:username: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: ratel operation: Update time: "2021-12-16T16:10:39Z" name: ratel-pod-exec-test1 namespace: default resourceVersion: "1061268" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-test1 uid: 5d831581-cc54-4ca2-b097-702f501593f5 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-exec subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test1 --- apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-12-16T16:10:38Z" labels: ratel: "true" username: test1 managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ratel: {} f:username: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: ratel operation: Update time: "2021-12-16T16:10:38Z" name: ratel-resource-readonly-test1 namespace: default resourceVersion: "1061267" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-test1 uid: 9bcb54cf-1023-4a15-9c20-22d69a312f70 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-resource-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test1 kind: List metadata: resourceVersion: "" selfLink: ""