场景:
开发通过线上面板去排查问题,临时开权限解决
方案:
指定 namespace 为 dev
按顺序执行yaml
# kubectl apply -f sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-sa
namespace: dev# kubectl apply -f sit-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-reader
namespace: dev
rules:
- apiGroups:
- ""
- "extensions"
- "apps"
- "batch"
#resourceNames:
resources:
- "pods"
- "pods/log"
- "pods/exec"
- "pods/status"
- "configmaps"
- "persistentvolumeclaims"
- "secrets"
- "services"
- "events"
- "replicationcontrollers"
- "ingresses"
- "deployments"
- "job"
- "cronjobs"
- "statefulsets"
- "replicasets"
- "daemonsets"
verbs:
- get
- list
- watch
- create# kubectl apply -f sit-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind-dev-reader
namespace: dev
subjects:
- kind: ServiceAccount
name: dev-sa
namespace: dev
roleRef:
kind: Role
name: dev-reader
apiGroup: rbac.authorization.k8s.io# 授予集群层级的资源权限
# kubectl apply -f cluster-scope-permissions.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scope-role-dev-sa
rules:
- apiGroups:
- ""
resources:
- "*"
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scope-rolebinding-dev-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scope-role-dev-sa
subjects:
- kind: ServiceAccount
name: dev-sa
namespace: dev获取token
kubectl get secret -n dev|grep dev-sa
kubectl describe secret dev-sa-token-podxx -n dev
# token: 这一段为dashboard登录的令牌引用:
https://bbotte.github.io/virtualization/for-kubernetes-dashboard-create-readonly-user-access.html