24.kubernetes(k8s)笔记 认证、授权与准入控制(四) RBAC 访问控制

RBAC 访问控制 ServiceAccount

在上一节已经介绍过RBAC 通过绑定授权Users Accounts 得到不同作用域权限
这节对Serviceaccount进行绑定授权 因为sa权限是针对Pod的权限 命令行无法直接验证 所以借助dashbaortd来验证

• 首先在help中可以看到 有对serviceaccount的绑定

[root@k8s-master authfiles]# kubectl create rolebinding --help
...
Usage:
  kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username]
[--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
[options]

示例1:部署Kubernetes-DashBoard验证ServiceAccount权限

官网URL:https://kubernetes.io/zh/docs/tasks/access-application-cluster/web-ui-dashboard/

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml

[root@k8s-master authfiles]# kubectl get pod -n kubernetes-dashboard
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-79c5968bdc-28h7g   1/1     Running   0          84s
kubernetes-dashboard-9f9799597-qj8jv         1/1     Running   0          84s

[root@k8s-master authfiles]# kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.98.196.130           8000/TCP   91s
kubernetes-dashboard        ClusterIP   10.99.133.20            443/TCP    93s

• 测试环境 这里使用比较简单的暴露方式 修改配置文件暴露DashBoard 端口

[root@k8s-master authfiles]# vim recommended.yaml  
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  externalIPs:   #使用外部IP 暴露https
  - 192.168.54.171  
  selector:
    k8s-app: kubernetes-dashboard

• 重新应用

[root@k8s-master authfiles]# kubectl apply -f  recommended.yaml
    
[root@k8s-master authfiles]# kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP      PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.98.196.130              8000/TCP   5m7s
kubernetes-dashboard        ClusterIP   10.99.133.20    192.168.54.171   443/TCP    5m9s

• 打开浏览器输入之前修改的地址

• 这里登录用到的token 就Serviceaccount token 对Serviceaccount的授权不同决定了dashboard中的操作权限

示例2 :创建serviceaccount 绑定admin 并验证权限,作用域为名称空间

• User --> Rolebindig -->ClusterRole:权限降级，serviceaccount dev-admin对名称空间dev拥有完全权限
• 创建 serviceaccount

[root@k8s-master PodControl]# kubectl create serviceaccount dev-admin -n dev
serviceaccount/dev-admin created

• 对serviceaccount通过 rolebinding 绑定admin

[root@k8s-master PodControl]# kubectl create  rolebinding dev-admin  -n dev --clusterrole=admin  --serviceaccount=dev:dev-admin
rolebinding.rbac.authorization.k8s.io/dev-admin created
[root@k8s-master PodControl]# kubectl get sa -n rolebinding
No resources found in rolebinding namespace.
[root@k8s-master PodControl]# kubectl get rolebinding  -n dev
NAME        ROLE                AGE
dev-admin   ClusterRole/admin   10s

• 查看serviceaccount中secrets的token

[root@k8s-master PodControl]# kubectl get secrets -n dev
NAME                    TYPE                                  DATA   AGE
admin-token-42gb9       kubernetes.io/service-account-token   3      5d6h
default-token-m5b9r     kubernetes.io/service-account-token   3      5d6h
dev-admin-token-zbt9z   kubernetes.io/service-account-token   3      26s
[root@k8s-master PodControl]# kubectl get secrets dev-admin-token-zbt9z -n dev  -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: ZGV2
  
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaDRia3BGTWtNeFYwRnRabXhQVG14c1YzWmhZM2xJUm5aaVJqbGFVbmhGU1hkSFNuUkdjMjFhZFVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWlhZaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sWTNKbGRDNXVZVzFsSWpvaVpHVjJMV0ZrYldsdUxYUnZhMlZ1TFhwaWREbDZJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1Ym1GdFpTSTZJbVJsZGkxaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamczTXpRNFltRXdMV1F4TlRBdE5HSTNPQzA0WlRneUxXWTFZekUwTkdSak1qazNaU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pYWTZaR1YyTFdGa2JXbHVJbjAubEFhWjhoWjNUc0JJakpBbEc0a24wb084bjhISmNJRWIwZTR0NS1Fa2YyMGlTZHdxalRubTM3Z0FkajhicGtucW1YZHRhY0dQajhPSmxLSGFGUHJmM19uQnhNa0NTWHBzblZwVTdqUGhHN19XYmZLcEdPbHRMWERQeFdwQVNqeWp1aXlkcGFnWURiQnBXTnRJVGJ2eDFWaGVLTHlYNjB3V0QxeGdZS1d4R2Q4Njc3YllsLU5WLXNuNTNEQVNyck9rcG1aZDJqMDhCMmpoNlNrWnJiblc3NU1MYjg3YVI3VGg0ZEpWbmtiVTlySDFLUFRZdVd6Y1pOUnBnV1VyN2NJTDUxcG43Z2VpeUZJaTJBOXlmVXpJaDRGRWhqOTVqWVdId0J1akQ3T3M1ZlZIYWdyT2lIU1RkM01udmlyUHltNG5Ya3Q2UmR0bS1EUUpad2lFT1VnWUdR
...

• 复制上面的token 并通过base64 -d进行解密

[root@k8s-master PodControl]# echo ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaDRia3BGTWtNeFYwRnRabXhQVG14c1YzWmhZM2xJUm5aaVJqbGFVbmhGU1hkSFNuUkdjMjFhZFVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWlhZaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sWTNKbGRDNXVZVzFsSWpvaVpHVjJMV0ZrYldsdUxYUnZhMlZ1TFhwaWREbDZJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1Ym1GdFpTSTZJbVJsZGkxaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamczTXpRNFltRXdMV1F4TlRBdE5HSTNPQzA0WlRneUxXWTFZekUwTkdSak1qazNaU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pYWTZaR1YyTFdGa2JXbHVJbjAubEFhWjhoWjNUc0JJakpBbEc0a24wb084bjhISmNJRWIwZTR0NS1Fa2YyMGlTZHdxalRubTM3Z0FkajhicGtucW1YZHRhY0dQajhPSmxLSGFGUHJmM19uQnhNa0NTWHBzblZwVTdqUGhHN19XYmZLcEdPbHRMWERQeFdwQVNqeWp1aXlkcGFnWURiQnBXTnRJVGJ2eDFWaGVLTHlYNjB3V0QxeGdZS1d4R2Q4Njc3YllsLU5WLXNuNTNEQVNyck9rcG1aZDJqMDhCMmpoNlNrWnJiblc3NU1MYjg3YVI3VGg0ZEpWbmtiVTlySDFLUFRZdVd6Y1pOUnBnV1VyN2NJTDUxcG43Z2VpeUZJaTJBOXlmVXpJaDRGRWhqOTVqWVdId0J1akQ3T3M1ZlZIYWdyT2lIU1RkM01udmlyUHltNG5Ya3Q2UmR0bS1EUUpad2lFT1VnWUdR | base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6Ijh4bkpFMkMxV0FtZmxPTmxsV3ZhY3lIRnZiRjlaUnhFSXdHSnRGc21adUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LWFkbWluLXRva2VuLXpidDl6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRldi1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg3MzQ4YmEwLWQxNTAtNGI3OC04ZTgyLWY1YzE0NGRjMjk3ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LWFkbWluIn0.lAaZ8hZ3TsBIjJAlG4kn0oO8n8HJcIEb0e4t5-Ekf20iSdwqjTnm37gAdj8bpknqmXdtacGPj8OJlKHaFPrf3_nBxMkCSXpsnVpU7jPhG7_WbfKpGOltLXDPxWpASjyjuiydpagYDbBpWNtITbvx1VheKLyX60wWD1xgYKWxGd8677bYl-NV-sn53DASrrOkpmZd2j08B2jh6SkZrbnW75MLb87aR7Th4dJVnkbU9rH1KPTYuWzcZNRpgWUr7cIL51pn7geiyFIi2A9yfUzIh4FEhj95jYWHwBujD7Os5fVHagrOiHSTd3MnvirPym4nXkt6Rdtm-DQJZwiEOUgYGQ

[root@k8s-master PodControl]# 

• 权限验证 只对dev 和defualt 名称空间有权限

  
  

示例3: 创建serviceaccount绑定cluster-admin 拥有超级管理员权限 作用域为集群级别资源

• 创建serviceaccount

[root@k8s-master PodControl]# kubectl create serviceaccount cluster-admin -n kubernetes-dashboard
serviceaccount/cluster-admin created

#创建clusterrolebinding 绑定cluster-admin  集群级别资源 不需要指定名称空间
[root@k8s-master PodControl]# kubectl create clusterrolebinding sa-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/sa-cluster-admin created

[root@k8s-master PodControl]# kubectl get secrets -n kubernetes-dashboard
NAME                               TYPE                                  DATA   AGE
cluster-admin-token-nq8jq          kubernetes.io/service-account-token   3      29s
default-token-5rlqd                kubernetes.io/service-account-token   3      63m
kubernetes-dashboard-certs         Opaque                                0      63m
kubernetes-dashboard-csrf          Opaque                                1      63m
kubernetes-dashboard-key-holder    Opaque                                2      63m
kubernetes-dashboard-token-kdc57   kubernetes.io/service-account-token   3      63m
[root@k8s-master PodControl]# kubectl get secrets cluster-admin-token-nq8jq -n kubernetes-dashboard -o yaml
apiVersion: v1
data:
  ...
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaDRia3BGTWtNeFYwRnRabXhQVG14c1YzWmhZM2xJUm5aaVJqbGFVbmhGU1hkSFNuUkdjMjFhZFVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbGNtNWxkR1Z6TFdSaGMyaGliMkZ5WkNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKamJIVnpkR1Z5TFdGa2JXbHVMWFJ2YTJWdUxXNXhPR3B4SWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1Oc2RYTjBaWEl0WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSm1OR0ZoWTJGak1DMDRPV1kzTFRRd05UTXRPRE0yTnkwMU5ETXlZakEzTUdNMllXSWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2YTNWaVpYSnVaWFJsY3kxa1lYTm9ZbTloY21RNlkyeDFjM1JsY2kxaFpHMXBiaUo5LmV5Nmk5UUJGVzlRSGVKbkk0Zy14VG1pT1I2ZjJSdEVUR2JRbF9rbG5iV1psZFFLbFNhejFxX2NFbUJlSnNFRThQdTAyYnR1OU54LTBNSnNfMGRoTzA3NTJrUDRMemhFdTRMUzNueDYyQ3NBNWtoZDF6eWdQSC16NUlrd01XTmNZemFQMW1ZR2pmV2J3OTYyTEdwdnY4aU1rRy04OEpsSFpSOVEtci15aERfMzJVNHpVUm1XbEpyNUlUbHl4b0Z6XzE4LVhWbThpYUd1VlBrcEZ1Tm1ld2NIM0J5ZXJyRmFTSWZTV1NQM0NNRk5iMlVaUUlKYW9rMVFUN0todFZGZlZUbm1PelA4Qk52cVRhSktvQXlKNGZLcnhHOHVzZ1FmSzJuS2NiRGc2bFZFdFpsck9HQllRTFZpWEVIMmlkazlGaXVBTXRWSHpUbUFMSU5lNHUtcF82QQ==

...

• 使用base64对token解密

[root@k8s-master PodControl]# echo ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaDRia3BGTWtNeFYwRnRabXhQVG14c1YzWmhZM2xJUm5aaVJqbGFVbmhGU1hkSFNuUkdjMjFhZFVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbGNtNWxkR1Z6TFdSaGMyaGliMkZ5WkNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKamJIVnpkR1Z5TFdGa2JXbHVMWFJ2YTJWdUxXNXhPR3B4SWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1Oc2RYTjBaWEl0WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSm1OR0ZoWTJGak1DMDRPV1kzTFRRd05UTXRPRE0yTnkwMU5ETXlZakEzTUdNMllXSWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2YTNWaVpYSnVaWFJsY3kxa1lYTm9ZbTloY21RNlkyeDFjM1JsY2kxaFpHMXBiaUo5LmV5Nmk5UUJGVzlRSGVKbkk0Zy14VG1pT1I2ZjJSdEVUR2JRbF9rbG5iV1psZFFLbFNhejFxX2NFbUJlSnNFRThQdTAyYnR1OU54LTBNSnNfMGRoTzA3NTJrUDRMemhFdTRMUzNueDYyQ3NBNWtoZDF6eWdQSC16NUlrd01XTmNZemFQMW1ZR2pmV2J3OTYyTEdwdnY4aU1rRy04OEpsSFpSOVEtci15aERfMzJVNHpVUm1XbEpyNUlUbHl4b0Z6XzE4LVhWbThpYUd1VlBrcEZ1Tm1ld2NIM0J5ZXJyRmFTSWZTV1NQM0NNRk5iMlVaUUlKYW9rMVFUN0todFZGZlZUbm1PelA4Qk52cVRhSktvQXlKNGZLcnhHOHVzZ1FmSzJuS2NiRGc2bFZFdFpsck9HQllRTFZpWEVIMmlkazlGaXVBTXRWSHpUbUFMSU5lNHUtcF82QQ== |base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6Ijh4bkpFMkMxV0FtZmxPTmxsV3ZhY3lIRnZiRjlaUnhFSXdHSnRGc21adUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjbHVzdGVyLWFkbWluLXRva2VuLW5xOGpxIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmNGFhY2FjMC04OWY3LTQwNTMtODM2Ny01NDMyYjA3MGM2YWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6Y2x1c3Rlci1hZG1pbiJ9.ey6i9QBFW9QHeJnI4g-xTmiOR6f2RtETGbQl_klnbWZldQKlSaz1q_cEmBeJsEE8Pu02btu9Nx-0MJs_0dhO0752kP4LzhEu4LS3nx62CsA5khd1zygPH-z5IkwMWNcYzaP1mYGjfWbw962LGpvv8iMkG-88JlHZR9Q-r-yhD_32U4zURmWlJr5ITlyxoFz_18-XVm8iaGuVPkpFuNmewcH3ByerrFaSIfSWSP3CMFNb2UZQIJaok1QT7KhtVFfVTnmOzP8BNvqTaJKoAyJ4fKrxG8usgQfK2nKcbDg6lVEtZlrOGBYQLViXEH2idk9FiuAMtVHzTmALINe4u-p_6A

[root@k8s-master PodControl]# 

• 登录kubernetes-dashboard 拥有集群权限