-
kubernetes的多租户管理实践
在日常管理kubernetes中,使用的方式无非就是使用命令行方式(kubectl)和图像化方式(dashboard)。kubernetes官方提供的dashboard可以让kubernete管理员、公司开放人员和运维人员使用图形化的方式操作集群、查看日志、执行容器命令或增删改查资源等,当然也有其他图形化的管理方式,kubeboard就是一款不错的开源工具。
从实际使用实践来看,并不希望每个用户都有管理员的权限,也不希望A项目组的人员去访问B项目组的资源,这时我们可以使用kubernetes的权限管理RBAC进行访问控制。
具体的实现思路是:根据项目名称创建namespace,并创建同名的serviceaccount,并创建合适权限的Role,ClusterRole和RoleBinding、ClusterRoleBingding,然后对serviceaccount进行授权,那么对应人员就有了相关的管理权限。
具体的实现方式示例
1.创建测试命名空间
kubectl create ns kube-rbac-test2.创建ServiceAccount
kubectl create sa rbac-teat -n kube-rbac-test3.创建集群角色
3.1针对整个集群的view角色
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: dashboard-viewonly
- rules:
- - apiGroups:
- - ""
- resources:
- - configmaps
- - endpoints
- - persistentvolumeclaims
- - pods
- - replicationcontrollers
- - replicationcontrollers/scale
- - serviceaccounts
- - services
- - nodes
- - persistentvolumeclaims
- - persistentvolumes
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - bindings
- - events
- - limitranges
- - namespaces/status
- - pods/log
- - pods/status
- - replicationcontrollers/status
- - resourcequotas
- - resourcequotas/status
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - apps
- resources:
- - daemonsets
- - deployments
- - deployments/scale
- - replicasets
- - replicasets/scale
- - statefulsets
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - autoscaling
- resources:
- - horizontalpodautoscalers
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - batch
- resources:
- - cronjobs
- - jobs
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- resources:
- - daemonsets
- - deployments
- - deployments/scale
- - ingresses
- - networkpolicies
- - replicasets
- - replicasets/scale
- - replicationcontrollers/scale
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - policy
- resources:
- - poddisruptionbudgets
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - storage.k8s.io
- resources:
- - storageclasses
- - volumeattachments
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- - roles
- - rolebindings
- verbs:
- - get
- - list
- - watch
3.2 pod日志查看和执行命令的权限
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: pod-log-exec
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- - pods/log
- verbs:
- - get
- - list
- - apiGroups:
- - ""
- resources:
- - pods/exec
- verbs:
- - create
3.3 全局namespaces的只读权限
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: namespace-readonly
- rules:
- - apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - metrics.k8s.io
- resources:
- - podss
- verbs:
- - get
- - list
- - watch
4.授权
4.1使用ClusterRoleBinding将查看namespaces列表的权限授权给kube-rbac-test命名空间下所有的serviceaccount,这个此命名空间下所有的sa账户都有查看的权限
kubectl create clusterrolebinding namespace-readonly --clusterrole=namespace-readonly --serviceaccount=system:serviceaccounts:kube-rbac-test4.2使用RoleBinding将相关权限赋权给对应的用户
kubectl create rolebinding sa-test-rbac --clusterrole=pod-log-exec --serviceaccount=kube-rbac-test:rbac-teat -n kube-rbac-test5.使用token登录
- kubectl describe serviceaccount rbac-teat -n kube-rbac-test
- kubectl -n kube-rbac-test describe $(kubectl -n kube-rbac-test get secret -n kube-system -o name | grep namespace) | grep token
6.根据token创建kubeconfig
- kubectl config set-cluster kubernetes-dashboard-viewonly \
- --certificate-authority=ca.pem \
- --embed-certs=true \
- --server=https://10.10.20.60:6443 \
- --kubeconfig=dashboard-viewonly-kubeconfig
- 2.配置用户token信息
- kubectl config set-credentials kubernetes-dashboard-viewonly --token=$token --kubeconfig=dashboard-viewonly-kubeconfig
- 3.配置上下文信息
- kubectl config set-context kubernetes-dashboard-viewonly \
- --cluster=kubernetes-dashboard-viewonly \
- --user=kubernetes-dashboard-viewonly \
- --kubeconfig=dashboard-viewonly-kubeconfig
- 4.设置默认上下文
- kubectl config use-context kubernetes-dashboard-viewonly --kubeconfig=dashboard-viewonly-kubeconfig
-
相关阅读:
认识一下什么是JSP
大数据_数据中台建设的成熟度评估模型
水果店圈子:做水果店有多赚钱,开个小型水果店一年收入能赚多少钱
Friend.tech(FT):社交媒体金融的未来,真的如此美好吗?
java面试之基础问题
米尔MYD-JX8MPQ yocto
IMX6ULL移植篇-Linux内核源码文件表
斐波那契散列和hashMap实践
协众信息想成为高薪UI设计师,必须要会这些!
minio分布式文件存储
- 原文地址:https://blog.csdn.net/rendongxingzhe/article/details/126761214
