kubernetes daahboard权限限制

dashboard在多人使用的时候常常遇到误操做的状况，为了对dashboard进行限制，对dashboard进行了权限控制， 这里主要限制只容许pod被删除。
1：建立对应权限的ClusterRole（这里主要值容许pods被删除）

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: dashboard
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list", "create","proxy","update"]
- apiGroups: ["*"]
  resources: ["pods"]
  verbs: ["delete"]

 

注意的一点是为了让dashboard显示heapster的监控数据，必须还得开放resources中server的proxy方式

2：建立 ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard
  namespace: kube-system

 

3：将ClusterRole和ServiceAccount互相绑定

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: dashboard-extended
subjects:
  - kind: ServiceAccount
    name: dashboard
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: dashboard
  #name: cluster-admin #默认cluster-admin表明开放所有权限
  apiGroup: rbac.authorization.k8s.io

 

4：deployment加入ServiceAccount权限
spec.template.spec.serviceAccountName：dashboard

5：为了让heapster也得到权限，用一样的方式让heapster得到system:heapster的权限

apiVersion: v1
kind: ServiceAccount
metadata:
  name: heapster
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: heapster-extended
subjects:
  - kind: ServiceAccount
    namespace: kube-system
    name: heapster
roleRef:
  kind: ClusterRole
  name: system:heapster
  apiGroup: rbac.authorization.k8s.io