砥砺前行技术经验

k8s 的账户授权RBAC 及安装Kubepi

一、用户授权案例

1.创建指定namespace

kubectl create ns user-ns

可切换空间:kubectl config set-context --namespace user-ns --current

2.创建sa账户

kubectl create serviceaccount kubepi-user

查看:kubectl get sa

3.创建role角色,role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: user-ns
name: user-role
rules:
-apiGroups: ["*"]
resources: ["pods"]
verbs: ["*"]
-apiGroups: ["apps/v1"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

执行:kubectl apply -f role.yaml

查看:kubectl get role

4.将sa账户绑定到user-role角色 ,这里绑定到cluster-admin,vi role-bind.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind
namespace: kube-system
subjects:
-kind: ServiceAccount
name: kubepi-user
namespace: kube-system
roleRef:
kind: Role
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

执行:kubectl apply -f role-bind.yaml

查看:kubectl get rolebindings.rbac.authorization.k8s.io -o yaml

5.创建sa账户secret类型token,vi sa-token.yaml

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kubepi-user-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "kubepi-user"

执行:kubectl apply -f sa-token.yaml

查看:kubectl describe secrets kubepi-user-token|grep token

二、安装kubepi

docker pull kubeoperator/kubepi-server

docker run --privileged -itd --restart=unless-stopped --name kube_dashboard -v /home/docker-mount/kubepi/:/var/lib/kubepi/ -p 8000:80 kubeoperator/kubepi-server

地址: http://x.x.x.x:8000
默认用户名:admin
默认密码:kubepi

填写集群名称,默认认证模式,填写apisever地址及token:

sys