dashboard在多人使用的时候经常遇到误操作的情况,为了对dashboard进行限制,对dashboard进行了权限控制, 这里主要限制只允许pod被删除。
1:创建对应权限的ClusterRole(这里主要值允许pods被删除)
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: dashboard rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "watch", "list", "create","proxy","update"] - apiGroups: ["*"] resources: ["pods"] verbs: ["delete"]
注意的一点是为了让dashboard显示heapster的监控数据,必须还得开放resources中server的proxy方式
2:创建 ServiceAccount
apiVersion: v1 kind: ServiceAccount metadata: name: dashboard namespace: kube-system
3:将ClusterRole和ServiceAccount互相绑定
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: dashboard-extended subjects: - kind: ServiceAccount name: dashboard namespace: kube-system roleRef: kind: ClusterRole name: dashboard #name: cluster-admin #默认cluster-admin代表开放全部权限 apiGroup: rbac.authorization.k8s.io
4:deployment加入ServiceAccount权限
spec.template.spec.serviceAccountName:dashboard
5:为了让heapster也获得权限,用同样的方式让heapster获得system:heapster的权限
apiVersion: v1 kind: ServiceAccount metadata: name: heapster namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: heapster-extended subjects: - kind: ServiceAccount namespace: kube-system name: heapster roleRef: kind: ClusterRole name: system:heapster apiGroup: rbac.authorization.k8s.io