K8S dashboard 创建只读账户
1.创建名字为“Dashboard-viewonly“的Cluster Role,各种资源只给予了list,get,watch的权限。dashboard-viewonly.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-viewonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- nodes
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch
2.创建名字为vss-read的service account,并且绑定这个sa到dashboard-viewonly这个clusterRole。vss-read.yaml
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: vss-read
labels:
k8s-app: vss-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dashboard-viewonly
subjects:
- kind: ServiceAccount
name: vss-read
namespace: kube-system
3. 查看现有dashboard的配置
$ kubectl get pods -n kube-system |grep dashboard
kubernetes-dashboard-6c664cf6c5-gfckr / Running 20d
$ kubectl describe svc kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":...
Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 100.71.200.102
Port: <unset> /TCP
TargetPort: /TCP
Endpoints: 100.98.177.79:
Session Affinity: None
Events: <none>$ kubectl get service -n kube-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
cluster-autoscaler----aws-cluster-autoscaler ClusterIP 100.68.131.0 <none> /TCP 47d app=aws-cluster-autoscaler,release=cluster-autoscaler---
kube-dns ClusterIP 100.64.0.10 <none> /UDP,/TCP 227d k8s-app=kube-dns
kube-state-metrics ClusterIP 100.70.246.130 <none> /TCP 181d app=kube-state-metrics,release=kube-state-metrics
kubernetes-dashboard ClusterIP 100.71.200.102 <none> /TCP 112d k8s-app=kubernetes-dashboard
metrics-server ClusterIP 100.67.89.201 <none> /TCP 167d k8s-app=metrics-server
tiller-deploy ClusterIP 100.65.225.136 <none> /TCP 227d app=helm,name=tiller
$ kubectl get service -n kube-system -o wide |grep dashboard
kubernetes-dashboard ClusterIP 100.71.200.102 <none> /TCP 112d k8s-app=kubernetes-dashboard
4.应用这两个yaml文件到K8S集群环境中
$ kubectl apply -f dashboard-viewonly.yaml
$ kubectl apply -f vss-read.yaml
5.查看vss-read用户的token全名
$ kubectl describe serviceaccount vss-read -n kube-system
Name: vss-read
Namespace: kube-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"vss-read","namespace":"kube-system"}} Image pull secrets: <none>
Mountable secrets: vss-read-token-zs89w
Tokens: vss-read-token-zs89w
Events: <none>
6.查看token值
$ kubectl describe secret vss-read-token-zs89w -n kube-system
Name: vss-read-token-zs89w
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=vss-read
kubernetes.io/service-account.uid=f7b82f23-0e83-11e9-8b41-02351c31ffae Type: kubernetes.io/service-account-token Data
====
ca.crt: bytes
namespace: bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2c3MtcmVhZC10b2tlbi16czg5dyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2c3MtcmVhZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3YjgyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNt3KDsgaaaaaaaaaaaaaaaaaaaa
7.通过这个token值来登录K8S,dashboard
参考:
https://www.cnblogs.com/fengzhihai/p/9851470.html
https://www.cnblogs.com/linuxk/p/9783510.html
K8S dashboard 创建只读账户的更多相关文章
- Mysql 创建只读账户
mysql 创建只读账户: 1.查询所有账号信息 SELECT DISTINCT a.`User`,a.`Host`,a.password_expired,a.password_last_change ...
- PostgreSQL创建只读账户
目前PostgreSQL并不能像MySQL一样直接对某个数据库赋予只读权限,现实中有研发需要新建一个用户然后赋予对某个数据库只读权限. 举例说明如何创建 用edbstore用户连接edbstore数据 ...
- Azure SQL Database (25) Azure SQL Database创建只读用户
<Windows Azure Platform 系列文章目录> 本文将介绍如何在Azure SQL Database创建只读用户. 请先按照笔者之前的文章:Azure SQL Databa ...
- 给你的Kubernetes集群建一个只读账户(防止高管。。。后)
给你的Kubernetes集群建一个只读账户 需求:我们知道搭完k8s集群会创建一个默认的管理员kubernetes-admin用户该用户拥有所以权限,有一天开发或测试的同学需要登录到k8s集群了解业 ...
- 【k8s】在AWS EKS部署并通过ALB访问k8s Dashboard保姆级教程
本教程适用范围 在AWS上使用EKS服务部署k8s Dashboard,并通过ALB访问 EKS集群计算节点采用托管EC2,并使用启动模板. 使用AWS海外账号,us-west-2区域 使用账号默认v ...
- kubernetes高级之创建只读文件系统以及只读asp.net core容器
系列目录 使用docker创建只读文件系统 容器化部署对应用的运维带来了极大的方便,同时也带来一些新的安全问题需要考虑.比如黑客入侵到容器内,对容器内的系统级别或者应用级别文件进行修改,会造成难以估量 ...
- Ubuntu下搭建Kubernetes集群(4)--部署K8S Dashboard
K8S Dashboard是官方的一个基于WEB的用户界面,专门用来管理K8S集群,并可展示集群的状态.K8S集群安装好后默认没有包含Dashboard,我们需要额外创建它. 首先我们执行命令: wg ...
- ORACLE权限管理—创建只读账号
创建只读用户:grant connect to user; grant create session to user; 1.创建角色 CREATE ROLE SELECT_ROLE 2.给角色分配权限 ...
- mssql instead of 触发器应用一-创建只读视图(view)的方法
转自: http://www.maomao365.com/?p=4906 <span style="color:white;background-color:blue;font-wei ...
随机推荐
- ExpressJS基础概念及简单Server架设
NodeJS Node.js 是一个基于 Chrome V8 引擎的 JavaScript 运行环境.Node.js 使用了一个事件驱动.非阻塞式 I/O 的模型,使其轻量又高效.Node.js 的包 ...
- rest_framework基础
简介 为什么要使用REST framework? Django REST framework 是一个强大且灵活的工具包,用以构建Web APIs. - 在线可视的API,对于赢得你的开发者们十分有用 ...
- sip鉴权认证算法详解及python加密
1. 认证和加密 认证(Authorization)的作用在于表明自己是谁,即向别人证明自己是谁.而相关的概念是MD5,用于认证安全.注意MD5仅仅是个hash函数而已,并不是用于加密.因为ha ...
- lamp一键配置 --转自秋水
https://teddysun.com/lamp LAMP一键安装脚本 最后修改于:2015年11月08日 / 秋水逸冰 / 54,300 次围观 973 本脚本适用环境: 系统支持:CentOS/ ...
- Easy ui DateBox 控件格式化显示操作
//Easy ui datebox 控件 <input class="easyui-datebox" name="StartTime" id=" ...
- Python:内建函数zip
1.语法 zip([iterable,...]) [说明]:iterable——一个或多个迭代器 2.功能 zip()函数用于将可迭代的对象作为参数,将对象中对应的元素打包成一个个的元组,然后返回由这 ...
- purcell的emacs配置中的自动补全功能开启
标记一下,原文参看purcell的emacs配置中的自动补全功能开启 修改init-auto-complete.el文件 ;;(setq-default ac-expand-on-auto-compl ...
- 数学口袋精灵感受与BUG
232朱杰 http://www.cnblogs.com/alfredzhu https://github.com/alfredzhu/ 组长,团队 230蔡京航 http://www.cnblogs ...
- [讲解]sql except和intersect运算符(比拟两个或多个select语句的结果并前去非重复值)
图 1 UNION 中若有重复的行,会被移除,只留下一个 1.简介 EXCEPT和INTERSECT运算符使您可以比较两个或多个SELECT语句的结果并返回非重复值. 2.区别 EXCEPT运算符返回 ...
- 第147天:web前端开发中的各种居中总结
一.水平居中 方法① :行内元素 (父元素)text-align,(子元素)inline-block .parent{text-align: center;} .child{display: inli ...