1 创建角色和角色绑定
例如,创建cms用户
A 创建角色cms
cms-role-cms.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cms
namespace: cms
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
B 创建角色绑定
cms-rolebinding-cms.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cms
namespace: cms
subjects:
- kind: User
name: cms # 目标用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: cms # 角色信息
apiGroup: rbac.authorization.k8s.io
执行创建
kubectl create -f cms-role-cms.yaml
kubectl create -f cms-rolebinding-cms.yaml
2 创建token(也就是secret)
kubernetes-dashboard-cms-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-cms
namespace: cms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-cms
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-cms
namespace: cms
执行创建
kubectl create -f kubernetes-dashboard-cms-rbac.yaml
注意,这里的服务账号service account 绑定的是clusterRole view。 一定要注意!!!!
3 创建config文件(创建cms用户)
A 证书内容
cms-csr.json
{
"CN": "cms",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "k8s",
"OU": "System"
}
]
}
B 创建config文件脚本
userconfig.sh
for targetName in cms; do
cfssl gencert --ca k8s-root-ca.pem --ca-key k8s-root-ca-key.pem --config k8s-gencert.json --profile kubernetes $targetName-csr.json | cfssljson --bare $targetName
echo "Create $targetName kubeconfig..."
kubectl config set-cluster kubernetes --certificate-authority=k8s-root-ca.pem --embed-certs=true --server=https://*.*.*.*:6443 --kubeconfig=$targetName.kubeconfig
kubectl config set-credentials $targetName --client-certificate=$targetName.pem --client-key=$targetName-key.pem --embed-certs=true --kubeconfig=$targetName.kubeconfig
kubectl config set-context kubernetes --cluster=kubernetes --user=$targetName --kubeconfig=$targetName.kubeconfig
kubectl config use-context kubernetes --kubeconfig=$targetName.kubeconfig
done
如上脚本是一个for循环,适用于创建多个权限的config文件。
执行脚本创建config文件。
chmod +x userconfig.sh
./userconfig.sh
如上执行后会生成一个cms.kubeconfig文件。
4 config文件中添加token
获取创建的token内容
kubectl -n cms describe secret $(kubectl -n cms get secret | grep kubernetes-dashboard | awk '{print $1}')
将获取到的token粘贴到步骤3生成的cms.kubeconfig文件中
得到如下:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ************************BDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVWGRFMkozQ0RGdmZmcmRDbS9Ua2ROSE9pZ3Ywd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNZMjR4RURBT0JnTlZCQWdUQjNScFlXNXFhV*****RBT0JnTlZCQWNUQjNScApZVzVxYVc0eEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HYzNsemRHVnRNUk13RVFZRF**********************
server: https://*.*.*.*:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: cms
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: cms
user:
as-user-extra: {}
client-certificate-data: ******************************nVGUGVrcjRhaG5VbVEvc2s1YXZQa3MyMgo3aEVvRFh6TUwwbzUxL3I5TTRFdVRqdTZQb0V1SFFSZHIydy9IaFZZaGM5SEdKamlyR1J2a1lTYWZLMnRmZ1dLCjhyZ3o5WVdnOUpvWXJvQTllWUFvV21DR2hERFpmeVNvSmFMQ2tqVThCK3U3TXJSV********************
client-key-data: *******************************kQTh3L1RPS3hsMXRoTU43ZGFoVHYzQm1CclJnNnNGd1VwQy9yS0Y3Ci9BWFNzM2ZBczVzZmJCOTZQN3lXeXNrQ2dZRUFqd0REWEZVWWdjcllJY1B6UEhtRGtkYU1scnBnNmR2UmlDeEEKRUdKb295Z2Q1cUFGU3hHQ1orODY4ZEt0YVZ6VTZ4WFh********************
token: ****************************************8YQPdhiRvaKlwq1o1vX1ROX_L8GZpy0Ech-kCk9DfPpGuiPDedWxiLCbS6TaCVUH2v1LDpQwCutWLsknbaxv_-TnlQeXQs1***************
此时的config文件即可访问kubernetes的dashboard界面。
1 Create Service Account 创建一个服务帐号
cat <
2 Create ClusterRoleBinding 创建ClusterRoleBinding
cat <
3 获取token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
将生成的token填入,即可进入dashboard的主页面,或者追加到admin 用户的config中,用config方式访问。