为Kubernetes dashboard访问用户添加权限控制

[TOC]

1. 需求

在开发环境给开发人员创建应用部署管理权限，可以使用dashboard的token和kubeconfig文件登录，并在开发人员机器上安装kubectl命令，可以使用kubectl port-forward命令。

2. 方案

因为我们用到了dashboard和kubeapps，所以他们的rbac权限都要分配。

创建namespace：dev 创建ServiceAccount：dev-user1 给相应权限，并绑定ServiceAccount。

3. 实现

3.1 分配dashboard权限

kubectl apply -f dev-user1.yaml

---# ServiceAccountapiVersion: v1kind: ServiceAccountmetadata:  name: dev-user1  namespace: dev---# rolekind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:  namespace: dev  name: role-dev-user1rules:- apiGroups: [""]  resources: ["pods"]  verbs: ["get", "list", "watch", "delete", "update", "patch"]- apiGroups: [""]  resources: ["pods/portforward", "pods/proxy"]  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]- apiGroups: [""]  resources: ["pods/log"]  verbs: ["get", "list", "watch", "delete"]- apiGroups: ["extensions", "apps"]  resources: ["deployments"]  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]- apiGroups: [""]  resources: ["namespaces"]  verbs: ["get", "watch", "list"]- apiGroups: [""]  resources: ["events"]  verbs: ["get", "watch", "list"]- apiGroups: ["apps", "extensions"]  resources: ["replicasets"]  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]- apiGroups: [""]  resources: ["configmaps"]  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]- apiGroups: [""]  resources: ["persistentvolumeclaims"]  verbs: ["get", "watch", "list"]- apiGroups: [""]  resources: ["secrets"]  verbs: ["get", "watch", "list"]- apiGroups: [""]  resources: ["services"]  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]- apiGroups: ["extensions"]  resources: ["ingresses"]  verbs: ["get", "watch", "list"]- apiGroups: ["apps"]  resources: ["daemonsets"]  verbs: ["get", "watch", "list"]- apiGroups: ["batch"]  resources: ["jobs"]  verbs: ["get", "watch", "list"]- apiGroups: ["batch"]  resources: ["cronjobs"]  verbs: ["get", "watch", "list"]- apiGroups: [""]  resources: ["replicationcontrollers"]  verbs: ["get", "watch", "list"]- apiGroups: ["apps"]  resources: ["statefulsets"]  verbs: ["get", "watch", "list"]- apiGroups: [""]  resources: ["endpoints"]  verbs: ["get", "watch", "list"]---# role bindkind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: role-bind-dev-user1  namespace: devsubjects:- kind: ServiceAccount  name: dev-user1  namespace: devroleRef:  kind: Role  name: role-dev-user1  apiGroup: rbac.authorization.k8s.io#---## clusterrole#kind: ClusterRole#apiVersion: rbac.authorization.k8s.io/v1#metadata:#  namespace: dev#  name: clusterrole-dev-user1#rules:#- apiGroups: [""]#  resources: ["namespaces"]#  verbs: ["get", "watch", "list"]##---## clusterrole bind#kind: ClusterRoleBinding#apiVersion: rbac.authorization.k8s.io/v1#metadata:#  name: clusterrole-bind-dev-user1#  namespace: dev#subjects:#- kind: ServiceAccount#  name: dev-user1#  namespace: dev#roleRef:#  kind: ClusterRole#  name: clusterrole-dev-user1#  apiGroup: rbac.authorization.k8s.io

3.2 分配kubeapps权限

kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yamlkubectl create -n dev rolebinding dev-user1-view \  --clusterrole=kubeapps-applications-read \  --serviceaccount dev:dev-user1

export KUBEAPPS_NAMESPACE=kubeappskubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yamlkubectl create -n dev rolebinding dev-user1-edit \  --clusterrole=edit \  --serviceaccount dev:dev-user1kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \  --role=kubeapps-repositories-read \  --serviceaccount dev:dev-user1

token获取：

kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode

3.3 生成kubeconfig

通过token方式访问kube-apiserver

# 创建 kubectl config 文件# 设置集群参数kubectl config set-cluster kubernetes \  --insecure-skip-tls-verify=true \  --server="https://192.168.105.99:8443"# 设置客户端认证参数kubectl config set-credentials dev-user1 \  --token='上文中获取到的token' # 设置上下文参数kubectl config set-context kubernetes \  --cluster=kubernetes \  --user=dev-user1  \  --namespace=dev # 设置默认上下文kubectl config use-context kubernetes

注意

配置kubeconfig时指定路径，以免覆盖已有配置，--kubeconfig=configpath

也可以直接创建文件config，修改内容即可。

apiVersion: v1clusters:- cluster:    insecure-skip-tls-verify: true    server: https://192.168.105.99:8443  name: kubernetescontexts:- context:    cluster: kubernetes    namespace: dev    user: dev-user1  name: kubernetescurrent-context: kuberneteskind: Configpreferences: {}users:- name: dev-user1  user:    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v

4. 测试验证

windows kubectl命令安装

命令下载：

然后将其放至系统PATH目录下，比如c:\Windows

命令使用时，可使用cmd、powershell或者其它命令提示行工具。推荐使用Git Bash，因为安装过Git，则安装了此工具。

kubeconfig文件

kubeconfig文件，即上文件中生成的config文件。 文件名为config，文件放到 ~/.kube/下（~为用户家目录），因为kubectl命令默认读取此文件，否则每次使用kubectl命令，需要用参数--kubeconfig=configpath指定。

kubectl get pod -n devkubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev

参考资料：

[1] [2] [3] [4] [5]