一、用户授权案例
1.创建指定namespace
kubectl create ns user-ns
可切换空间:kubectl config set-context --namespace user-ns --current
2.创建sa账户
kubectl create serviceaccount kubepi-user
查看:kubectl get sa
3.创建role角色,role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: user-ns
name: user-role
rules:
-apiGroups: ["*"]
resources: ["pods"]
verbs: ["*"]
-apiGroups: ["apps/v1"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
执行:kubectl apply -f role.yaml
查看:kubectl get role
4.将sa账户绑定到user-role角色 ,这里绑定到cluster-admin,vi role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind
namespace: kube-system
subjects:
-kind: ServiceAccount
name: kubepi-user
namespace: kube-system
roleRef:
kind: Role
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
执行:kubectl apply -f role-bind.yaml
查看:kubectl get rolebindings.rbac.authorization.k8s.io -o yaml
5.创建sa账户secret类型token,vi sa-token.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kubepi-user-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "kubepi-user"
执行:kubectl apply -f sa-token.yaml
查看:kubectl describe secrets kubepi-user-token|grep token
二、安装kubepi
docker pull kubeoperator/kubepi-server
docker run --privileged -itd --restart=unless-stopped --name kube_dashboard -v /home/docker-mount/kubepi/:/var/lib/kubepi/ -p 8000:80 kubeoperator/kubepi-server
地址: http://x.x.x.x:8000
默认用户名:admin
默认密码:kubepi
填写集群名称,默认认证模式,填写apisever地址及token: