kubernetes创建一个dashboard只读权限的用户（具有exec权限）

kubernetes创建一个dashboard只读权限的用户（具有exec权限）

1.下面我们来手动创建一个对cluster级别的资源也有只读权限的用户

kubectl create sa dashboard-real-readonly -n kube-system

2.创建一个叫作​​cluster-readonly​​的clusterrole

cat cluster-readonly-clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: cluster-readonlyrules:- apiGroups: - "" resources: - pods/exec verbs: - create- apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch- apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch- apiGroups: - "" resources: - pods/exec verbs: - create- apiGroups: - "" resources: - namespaces verbs: - get - list - watch- apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch- apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch- apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch- apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch- apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch- apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch- apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch

3.创建一个叫作​​cluster-readonly​​的clusterrolebinding

apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: creationTimestamp: null name: cluster-readonlyroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-readonlysubjects:- kind: ServiceAccount name: dashboard-readonly namespace: kube-system

4.通过kubectl get secret -n=kube-system把所有的secret都列出来,然后找到具体的那一个)查看​​dashboard-readonly​​用户的secret,里面包含token,我们把token复制到dashboard登陆界面登陆

kubectl describe secret -n=kube-system dashboard-readonly-token-随机字符串

5.登录dashboard验证

删除pod或者其他资源时，提示如下：

验证完成。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。