一、讲解示例 kubernetes-dashboard.yaml
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kube-system
type: Opaque---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: kubernetes-dashboard-minimalnamespace: kube-system
rules:# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]resources: ["secrets"]verbs: ["create"]# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]resources: ["configmaps"]verbs: ["create"]# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]resources: ["services"]resourceNames: ["heapster"]verbs: ["proxy"]
- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:"]verbs: ["get"]---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: kubernetes-dashboard-minimalnamespace: kube-system
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccountname: kubernetes-dashboardnamespace: kube-system---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:containers:- name: kubernetes-dashboardimage: registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64ports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {
}serviceAccountName: kubernetes-dashboard# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kube-system
spec:type: NodePortports:- port: 443targetPort: 8443nodePort: 30001selector:k8s-app: kubernetes-dashboard
二、文件资源对象
2.0 该文件主要有如下资源(倒序)
- Service: 暴露容器中的服务
- Deployment: 创建容器的控制器的控制器
- RoleBinding: 角色绑定,绑定角色和服务账户
- Role: 角色,指定角色权限
- ServiceAccount: 创建服务账户
- Secret: 提供令牌,访问API服务器所用
2.1 Deployment:
spec.template.spec.serviceAccountName:kubernetes-dashboard,意思是产生的容器归属于kubernetes-dashboard服务账户。spec.template.spec.volumes.secret.secret:kubernetes-dashboard-certs,意思是产生的容器默认挂载该令牌访问API服务资源。- 简单的说:Web UI容器属于kubernetes-dashboard服务账户,该容器访问API服务器令牌为kubernetes-dashboard-certs
2.2 Role:
- 规定了 kubernetes-dashboard-minimal该角色的权限,比如rules[0],对于URL资源型的secret,该角色可以创建,不可删该查。
2.3 RoleBinding:
- 声明了服务账户kubernetes-dashboard享有 kubernetes-dashboard-minimal该角色的权限
2.4 综上所述:
- Web UI容器绑定了如下两个资源:
- Secret:让dashboard容器访问API能够认证通过,
- ServiceAccount: 认证通过后dashboard容器会有什么权限
三.《实验》权限验证
我们来看一下kubernetes-dashboard该服务账户的认证令牌
[root@k8s-master k8s]# kubectl describe sa kubernetes-dashboard -n kube-system | grep Token
Tokens: kubernetes-dashboard-token-gthpd
查看该令牌
[root@k8s-master k8s]# kubectl describe secret kubernetes-dashboard-token-gthpd -n kube-system | grep ^token
token: eyJhbGciOiJSUzI1NiI......htI0PbXnmUG6HHL-KAtR4nw
如果使用该令牌登录Web UI会如何?答案是啥资源信息也看不了
为什么呢?如上图,集群下有命名空间namespaces、节点nodes、持久化存储卷pv、角色Role、存储类Store class,叫做集群资源,也叫全局资源;
命名空间下有Jobpod、DaemonSet、Deployment、Pods、RS、RC、Service、Secret等等局部资源
如果要查看他们,必须有权限访问这些资源信息,回头看看Role部署文件声明的Rule,的确有部分访问权限,例如secrets的删改查,很遗憾该令牌所对应的服务账户被绑定的并非集群角色,绑定的方式并非集群绑定,WebUI的集群资源必须被ClusterBinding,角色必须为ClusterRole,所以也就啥都没,还报一堆警告。
那我们从系统中找个有集群角色的服务账户实验一下
集群绑定资源可以查询绑定的角色和服务账户
1.我们先找一个集群角色绑定资源
[root@k8s-master k8s]# kubectl get clusterrolebinding system:controller:namespace-controller
找打了namespace-controller服务账户和system:controller:namespace-controller集群角色
2.看下集群角色有什么权限,并验证
[root@k8s-master k8s]# kubectl get clusterrole system:controller:namespace-controller -o yaml
rules:
- apiGroups:- ""resources:- namespaces !对命名空间只有查删,没有增改verbs:- delete- get- list- watch
- apiGroups:- ""resources:- namespaces/finalize- namespaces/statusverbs:- update
- apiGroups:- '*'resources:- '*'verbs: !对所有资源只有查删,没有增改- delete- deletecollection- get- list从上面可知,这个角色对所有资源只有查删,不能增改!!!,来验证一下…
3获取密钥
[root@m ~]# kubectl get sa namespace-controller -n kube-system -o yaml
secret: namespace-controller-token-gb4hf
[root@k8s-master k8s]# kubectl describe secret namespace-controller-token-gb4hf -n kube-system
4.web登录,选择令牌登录
很好,可以查到所有资源,跟预期一致
4.1试试创建新命名空间
很好,果然不能创建(增)资源
4.2 试试删除资源
[root@k8s-master k8s]# kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
test-c478db4fb-w6c68 1/1 Running 0 16m可以看到有一个容器test-c478db4fb-w6c68正在运行,那么我们现在在Web删除他,–watch参数是实时监控
回到黑屏终端,可以见到命令行实时监控输出的信息
[root@k8s-master k8s]# kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
test-c478db4fb-w6c68 1/1 Running 0 16m
test-c478db4fb-w6c68 1/1 Terminating 0 19m
test-c478db4fb-sqs9q 0/1 Pending 0 0s
test-c478db4fb-sqs9q 0/1 Pending 0 0s
test-c478db4fb-w6c68 1/1 Terminating 0 19m
test-c478db4fb-sqs9q 0/1 ContainerCreating 0 1s
test-c478db4fb-w6c68 0/1 Terminating 0 19m
test-c478db4fb-sqs9q 1/1 Running 0 9s
test-c478db4fb-w6c68 0/1 Terminating 0 19m
test-c478db4fb-w6c68 0/1 Terminating 0 19m
很好,test-c478db4fb-w6c68被结束,就是删除成功,其他资源类似,不再举例。
那么有一个问题,test-c478db4fb-sqs9q这个是什么?因为这个容器我是通过RS部署的,所以被删除会有一个替代它。
验证结束: 确实只有查删、不能增改
四、超级权限
那么最后一个问题,我想要root权限,不想受那么多限制咋办?
同样,我们也在clusterrolebinding找,但你不用找了,我直接告诉你,集群角色:cluster-admin拥有超级权限,但是很遗憾这个集群绑定没有指定服务账户,所以现在我们需要创建ClusterRoleBinding和ServiceAccount
[root@k8s-master ~]# vi k8s-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:name: dashboard-adminnamespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:name: dashboard-admin
subjects:- kind: ServiceAccountname: dashboard-adminnamespace: kube-system
roleRef:kind: ClusterRolename: cluster-adminapiGroup: rbac.authorization.k8s.io[root@k8s-master ~]# kubectl create -f k8s-admin.yaml
!1.查看服务账户对应的secret
[root@k8s-master k8s]# kubectl describe sa -n kube-system dashboard-admin | greo ^Tokens
Tokens: dashboard-admin-token-xxxxx
!2.获取令牌
[root@k8s-master k8s]# kubectl describe secret dashboard-admin-token-np46j -n kube-system | grep ^token
token: eyJhbGciOiJSUzI1NiIsI......f2NkjH0YsBD7QEjRiQxp0Cv35rHC0pXuyRtDDKM7VE_RppJoY06WCRzAwZGCOBE1H6A
!3.接下来令牌登录即可获取k8s资源所有权,你就是集群最靓的仔
五、回顾
很好,相信你已经有了比较清晰思路