kubernetes创建一个dashboard只读权限的用户(具有exec权限)

1.下面我们来手动创建一个对cluster级别的资源也有只读权限的用户

kubectl create  sa dashboard-real-readonly  -n  kube-system

2.创建一个叫作​cluster-readonly​的clusterrole

cat cluster-readonly-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch

3.创建一个叫作​cluster-readonly​的clusterrolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- kind: ServiceAccount
name: dashboard-readonly
namespace: kube-system

4.通过kubectl get secret -n=kube-system把所有的secret都列出来,然后找到具体的那一个)查看​dashboard-readonly​用户的secret,里面包含token,我们把token复制到dashboard登陆界面登陆

kubectl describe secret -n=kube-system dashboard-readonly-token-随机字符串

kubernetes创建一个dashboard只读权限的用户(具有exec权限)

5.登录dashboard验证

kubernetes创建一个dashboard只读权限的用户(具有exec权限)

kubernetes创建一个dashboard只读权限的用户(具有exec权限)

删除pod或者其他资源时,提示如下:

kubernetes创建一个dashboard只读权限的用户(具有exec权限)

发表评论

相关文章