dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。
1:创建对应权限的ClusterRole(这里主要值允许pods被删除)
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1alpha1metadata: ?name: dashboardrules:- apiGroups: ["*"] ?resources: ["*"] ?verbs: ["get", "watch", "list", "create","proxy","update"]- apiGroups: ["*"] ?resources: ["pods"] ?verbs: ["delete"]
注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式
2:创建 ServiceAccount
apiVersion: v1kind: ServiceAccountmetadata: ?name: dashboard ?namespace: kube-system
3:将ClusterRole和ServiceAccount互相绑定
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1alpha1metadata: ?name: dashboard-extendedsubjects: ?- kind: ServiceAccount ???name: dashboard ???namespace: kube-systemroleRef: ?kind: ClusterRole ?name: dashboard ?#name: cluster-admin #默认cluster-admin代表开放全部权限 ?apiGroup: rbac.authorization.k8s.io
4:deployment加入ServiceAccount权限
spec.template.spec.serviceAccountName:dashboard
5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限
apiVersion: v1kind: ServiceAccountmetadata: ?name: heapster ?namespace: kube-system---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1alpha1metadata: ?name: heapster-extendedsubjects: ?- kind: ServiceAccount ???namespace: kube-system ???name: heapsterroleRef: ?kind: ClusterRole ?name: system:heapster ?apiGroup: rbac.authorization.k8s.io
kubernetes daahboard权限限制
原文地址:http://www.cnblogs.com/ssss429170331/p/7686191.html