前言

运维人员在操作dashboard一般使用的是管理员用户,但如果需要给到其他同事使用,那就只能提供权限较小的用户给他
新建serviceaccount用户,该用户可以查看所有命名空间的资源,但无法操作,只能操作该用户所在的命名空间

1. 创建用户对整个dashboard可查看的权限

1.1 创建命名空间

  1. kubectl create namespace test

1.2. 创建ServiceAccount用户

serviceaccount.yaml

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   labels:
  5.     k8s-app: kubernetes-dashboard
  6.     addonmanager.kubernetes.io/mode: Reconcile
  7.   name: kubernetes-dashboard-test
  8.   namespace: test

1.3. 创建集群角色ClusterRole

clusterrole.yaml

  1. apiVersion: rbac.authorization.k8s.io/v1beta1
  2. kind: ClusterRole
  3. metadata:
  4.   name: kubernetes-dashboard-list
  5. rules:
  6.   - apiGroups: ["*"]
  7.     resources: ["*"]
  8.     verbs: ["get", "list", "watch"]

1.4. 绑定角色Role和用户ServiceAccount

clusterrolebingding.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
    name: kubernetes-dashboard-test
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard-test
    namespace: test
roleRef:
    kind: ClusterRole
    name: kubernetes-dashboard-list
    apiGroup: rbac.authorization.k8s.io

1.5. 交付至K8s,并查看secret

当前使用token登录dashboard可查看到所有命名空间的资源,但无法进行任何操作

# kubectl apply -f rbac_test.yaml
# kubectl apply -f role_test.yaml
# kubectl apply -f roleBinding_test.yaml

-- 显示的是ServiceAccount
# kubectl  get secret -n yuhui
NAME                                    TYPE                                  DATA   AGE
default-token-pftt4                     kubernetes.io/service-account-token   3      59m
kubernetes-dashboard-test-token-p8vb6   kubernetes.io/service-account-token   3      49m
# kubectl describe secret kubernetes-dashboard-test-token-p8vb6 -n yuhui
Name:         kubernetes-dashboard-test-token-p8vb6
Namespace:    yuhui
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard-test
              kubernetes.io/service-account.uid: e071a0de-f11b-4946-a816-34fbb0271ded

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1346 bytes
namespace:  5 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldG.......(省略)

2. 创建用户对test命名空间读写权限

需要注意Role角色和RoleBinding两个资源和serviceaccount都属于同一个namespace,否则没权限操作

1.6. 创建Role角色

role.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: kubernetes-dashboard-select
  namespace: test
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

1.7. RoleBinding绑定角色role和用户serviceaccount

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
    name: kubernetes-dashboard-
    namespace: test
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard-test
    namespace: test
roleRef:
    kind: Role
    name: kubernetes-dashboard-select
    apiGroup: rbac.authorization.k8s.io