1.创建名字为“Dashboard-viewonly“的Cluster Role,各种资源只给予了list,get,watch的权限。dashboard-viewonly.yaml

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  name: dashboard-viewonly

rules:

- apiGroups:

  - ""

  resources:

  - configmaps

  - endpoints

  - persistentvolumeclaims

  - pods

  - replicationcontrollers

  - replicationcontrollers/scale

  - serviceaccounts

  - services

  - nodes

  - persistentvolumeclaims

  - persistentvolumes

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - ""

  resources:

  - bindings

  - events

  - limitranges

  - namespaces/status

  - pods/log

  - pods/status

  - replicationcontrollers/status

  - resourcequotas

  - resourcequotas/status

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - ""

  resources:

  - namespaces

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - apps

  resources:

  - daemonsets

  - deployments

  - deployments/scale

  - replicasets

  - replicasets/scale

  - statefulsets

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - autoscaling

  resources:

  - horizontalpodautoscalers

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - batch

  resources:

  - cronjobs

  - jobs

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - extensions

  resources:

  - daemonsets

  - deployments

  - deployments/scale

  - ingresses

  - networkpolicies

  - replicasets

  - replicasets/scale

  - replicationcontrollers/scale

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - policy

  resources:

  - poddisruptionbudgets

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - networking.k8s.io

  resources:

  - networkpolicies

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - storage.k8s.io

  resources:

  - storageclasses

  - volumeattachments

  verbs:

  - get

  - list

  - watch

- apiGroups:

  - rbac.authorization.k8s.io

  resources:

  - clusterrolebindings

  - clusterroles

  - roles

  - rolebindings

  verbs:

  - get

  - list

  - watch

2.创建名字为vss-read的service account,并且绑定这个sa到dashboard-viewonly这个clusterRole。vss-read.yaml

---

apiVersion: rbac.authorization.k8s.io/v1beta1

kind: ClusterRoleBinding

metadata:

  name: vss-read

  labels:

    k8s-app: vss-read

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: dashboard-viewonly

subjects:

- kind: ServiceAccount

  name: vss-read

  namespace: kube-system

3. 查看现有dashboard的配置

$ kubectl get pods -n kube-system |grep dashboard

kubernetes-dashboard-6c664cf6c5-gfckr                                 /       Running             20d

$ kubectl describe svc kubernetes-dashboard -n kube-system

Name:              kubernetes-dashboard

Namespace:         kube-system

Labels:            k8s-app=kubernetes-dashboard

Annotations:       kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":...

Selector:          k8s-app=kubernetes-dashboard

Type:              ClusterIP

IP:                100.71.200.102

Port:              <unset>  /TCP

TargetPort:        /TCP

Endpoints:         100.98.177.79:

Session Affinity:  None

Events:            <none>$ kubectl get service -n kube-system -o wide

NAME                                                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE       SELECTOR

cluster-autoscaler----aws-cluster-autoscaler   ClusterIP   100.68.131.0     <none>        /TCP        47d       app=aws-cluster-autoscaler,release=cluster-autoscaler---

kube-dns                                               ClusterIP   100.64.0.10      <none>        /UDP,/TCP   227d      k8s-app=kube-dns

kube-state-metrics                                     ClusterIP   100.70.246.130   <none>        /TCP        181d      app=kube-state-metrics,release=kube-state-metrics

kubernetes-dashboard                                   ClusterIP   100.71.200.102   <none>        /TCP         112d      k8s-app=kubernetes-dashboard

metrics-server                                         ClusterIP   100.67.89.201    <none>        /TCP         167d      k8s-app=metrics-server

tiller-deploy                                          ClusterIP   100.65.225.136   <none>        /TCP       227d      app=helm,name=tiller

$ kubectl get service -n kube-system -o wide |grep dashboard

kubernetes-dashboard                                   ClusterIP   100.71.200.102   <none>        /TCP         112d      k8s-app=kubernetes-dashboard

4.应用这两个yaml文件到K8S集群环境中

$ kubectl apply -f dashboard-viewonly.yaml

$ kubectl apply -f vss-read.yaml

5.查看vss-read用户的token全名

$ kubectl describe serviceaccount vss-read -n kube-system

Name:         vss-read

Namespace:    kube-system

Labels:       <none>

Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"vss-read","namespace":"kube-system"}}

Image pull secrets:  <none>

Mountable secrets:   vss-read-token-zs89w

Tokens:              vss-read-token-zs89w

Events:              <none>

6.查看token值

$ kubectl describe secret vss-read-token-zs89w -n kube-system

Name:         vss-read-token-zs89w

Namespace:    kube-system

Labels:       <none>

Annotations:  kubernetes.io/service-account.name=vss-read

              kubernetes.io/service-account.uid=f7b82f23-0e83-11e9-8b41-02351c31ffae

Type:  kubernetes.io/service-account-token

Data

====

ca.crt:      bytes

namespace:   bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2c3MtcmVhZC10b2tlbi16czg5dyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2c3MtcmVhZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3YjgyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNt3KDsgaaaaaaaaaaaaaaaaaaaa

7.通过这个token值来登录K8S,dashboard

参考:

https://www.cnblogs.com/fengzhihai/p/9851470.html

https://www.cnblogs.com/linuxk/p/9783510.html

K8S dashboard 创建只读账户的更多相关文章

  1. Mysql 创建只读账户

    mysql 创建只读账户: 1.查询所有账号信息 SELECT DISTINCT a.`User`,a.`Host`,a.password_expired,a.password_last_change ...

  2. PostgreSQL创建只读账户

    目前PostgreSQL并不能像MySQL一样直接对某个数据库赋予只读权限,现实中有研发需要新建一个用户然后赋予对某个数据库只读权限. 举例说明如何创建 用edbstore用户连接edbstore数据 ...

  3. Azure SQL Database (25) Azure SQL Database创建只读用户

    <Windows Azure Platform 系列文章目录> 本文将介绍如何在Azure SQL Database创建只读用户. 请先按照笔者之前的文章:Azure SQL Databa ...

  4. 给你的Kubernetes集群建一个只读账户(防止高管。。。后)

    给你的Kubernetes集群建一个只读账户 需求:我们知道搭完k8s集群会创建一个默认的管理员kubernetes-admin用户该用户拥有所以权限,有一天开发或测试的同学需要登录到k8s集群了解业 ...

  5. 【k8s】在AWS EKS部署并通过ALB访问k8s Dashboard保姆级教程

    本教程适用范围 在AWS上使用EKS服务部署k8s Dashboard,并通过ALB访问 EKS集群计算节点采用托管EC2,并使用启动模板. 使用AWS海外账号,us-west-2区域 使用账号默认v ...

  6. kubernetes高级之创建只读文件系统以及只读asp.net core容器

    系列目录 使用docker创建只读文件系统 容器化部署对应用的运维带来了极大的方便,同时也带来一些新的安全问题需要考虑.比如黑客入侵到容器内,对容器内的系统级别或者应用级别文件进行修改,会造成难以估量 ...

  7. Ubuntu下搭建Kubernetes集群(4)--部署K8S Dashboard

    K8S Dashboard是官方的一个基于WEB的用户界面,专门用来管理K8S集群,并可展示集群的状态.K8S集群安装好后默认没有包含Dashboard,我们需要额外创建它. 首先我们执行命令: wg ...

  8. ORACLE权限管理—创建只读账号

    创建只读用户:grant connect to user; grant create session to user; 1.创建角色 CREATE ROLE SELECT_ROLE 2.给角色分配权限 ...

  9. mssql instead of 触发器应用一-创建只读视图(view)的方法

    转自: http://www.maomao365.com/?p=4906 <span style="color:white;background-color:blue;font-wei ...

随机推荐

  1. 禁用 Python GC,Instagram 性能提升10%

    通过关闭 Python 垃圾收集(GC)机制,该机制通过收集和释放未使用的数据来回收内存,Instagram 的运行效率提高了 10 %.是的,你没听错!通过禁用 GC,我们可以减少内存占用并提高 C ...

  2. MathExam第二次作业(升级版)

    MathExamLv2——林华伟 211506319 陈珍 211406263   一.预估与实际 PSP2.1 Personal Software Process Stages 预估耗时(分钟) 实 ...

  3. Unicode 和 UTF-8 有何区别

    作者:于洋链接:https://www.zhihu.com/question/23374078/answer/69732605来源:知乎著作权归作者所有,转载请联系作者获得授权. ========== ...

  4. C/C++学习计划

    学习内容:C语言程序设计精髓/计算机程序设计(C++) 学习理由:基础比较薄弱,想先打好基础. 时间安排:每天学习两课时. mooc地址:http://www.icourse163.org/home. ...

  5. 软工1816 · 第八次作业(课堂实战)- 项目UML设计(团队)

    本次作业博客 团队信息 队名:起床一起肝活队 原组长: 白晨曦(101) 原组员: 李麒 (123) 陈德斌(104) 何裕捷(214) 黄培鑫(217) 王焕仁(233) 林志华(128) 乐忠豪( ...

  6. 03_Java基础语法_第3天(Scanner、Random、流程控制语句)_讲义

    今日内容介绍 1.引用类型变量的创建及使用 2.流程控制语句之选择语句 3.流程控制语句之循环语句 4.循环高级 01创建引用类型变量公式 * A: 创建引用类型变量公式 * a: 我们要学的Scan ...

  7. Java try catch

    /*   异常处理的捕捉形式: 这是可以对异常进行针对性处理的方式.   具体格式是: try { //需要被检测异常的代码. } catch(异常类 变量)//该变量用于接收发生的异常对象 { // ...

  8. 开发环境解决 kafka Failed to send messages after 3 tries

    新建了一个kafka集群,在window下写了一个简单的producer做测试,结果遇到了消息发送失败的问题,代码如下: Properties props = new Properties(); pr ...

  9. Servlet处理表单

  10. PAT 甲级 1020 Tree Traversals

    https://pintia.cn/problem-sets/994805342720868352/problems/994805485033603072 Suppose that all the k ...