Kubernetes创建Dashboard超级管理员和只读账户

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

 name: admin

 annotations:

   rbac.authorization.kubernetes.io/autoupdate: "true"

roleRef:

 kind: ClusterRole

 name: cluster-admin

 apiGroup: rbac.authorization.k8s.io

subjects:

- kind: ServiceAccount

 name: admin

 namespace: kube-system

---

apiVersion: v1

kind: ServiceAccount

metadata:

 name: admin

 namespace: kube-system

 labels:

   kubernetes.io/cluster-service: "true"

   addonmanager.kubernetes.io/mode: Reconcile

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

 name: dashboard-viewonly

rules:

- apiGroups:

 - ""

 resources:

 - configmaps

 - endpoints

 - persistentvolumeclaims

 - pods

 - replicationcontrollers

 - replicationcontrollers/scale

 - serviceaccounts

 - services

 - nodes

 - persistentvolumeclaims

 - persistentvolumes

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - ""

 resources:

 - bindings

 - events

 - limitranges

 - namespaces/status

 - pods/log

 - pods/status

 - replicationcontrollers/status

 - resourcequotas

 - resourcequotas/status

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - ""

 resources:

 - namespaces

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - apps

 resources:

 - daemonsets

 - deployments

 - deployments/scale

 - replicasets

 - replicasets/scale

 - statefulsets

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - autoscaling

 resources:

 - horizontalpodautoscalers

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - batch

 resources:

 - cronjobs

 - jobs

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - extensions

 resources:

 - daemonsets

 - deployments

 - deployments/scale

 - ingresses

 - networkpolicies

 - replicasets

 - replicasets/scale

 - replicationcontrollers/scale

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - policy

 resources:

 - poddisruptionbudgets

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - networking.k8s.io

 resources:

 - networkpolicies

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - storage.k8s.io

 resources:

 - storageclasses

 - volumeattachments

 verbs:

 - get

 - list

 - watch

- apiGroups:

 - rbac.authorization.k8s.io

 resources:

 - clusterrolebindings

 - clusterroles

 - roles

 - rolebindings

 verbs:

 - get

 - list

 - watch

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

 name: cd-read

 annotations:

   rbac.authorization.kubernetes.io/autoupdate: "true"

roleRef:

 kind: ClusterRole

 name: dashboard-viewonly

 apiGroup: rbac.authorization.k8s.io

subjects:

- kind: ServiceAccount

 name: cd-read

 namespace: kube-system

---

apiVersion: v1

kind: ServiceAccount

metadata:

 name: cd-read

 namespace: kube-system

 labels:

   kubernetes.io/cluster-service: "true"

   addonmanager.kubernetes.io/mode: Reconcile