SundayHK
ServiceAccount 会限定命名空间
1. 创建角色权限
# dev-user-role-sa.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-user
namespace: dev-ns # 假设开发环境在 'dev-ns' 命名空间
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-user-role
namespace: dev-ns
rules:
- apiGroups: [""]
resources: ["pods", "services", "deployments", "configmaps", "secrets", "persistentvolumeclaims", "events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 核心资源
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 应用部署资源
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 批处理作业
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "networkpolicies"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 网络资源
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD HPA
- apiGroups: [""]
resources: ["pods/log", "pods/exec"] # 允许查看 Pod 日志和执行命令
verbs: ["get", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-user-rolebinding
namespace: dev-ns
subjects:
- kind: ServiceAccount
name: dev-user
namespace: dev-ns
roleRef:
kind: Role
name: dev-user-role
apiGroup: rbac.authorization.k8s.iokubectl apply -f dev-user-role-sa.yaml2.创建secret 关联serviceAccount生成Token
# dev-user-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: dev-user-token
namespace: dev-ns
annotations:
kubernetes.io/service-account.name: dev-user # 关联到 dev-user ServiceAccount
type: kubernetes.io/service-account-tokenkubectl apply -f dev-user-token-secret.yaml3.查看Token
root@k8s-ms-master:~# kubectl -n dev-ns describe serviceaccount dev-user
Name: dev-user
Namespace: dev-ns
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: dev-user-token
Events: <none>
# token
root@k8s-ms-master:~# kubectl -n dev-ns get secret dev-user-token -o jsonpath="{.data.token}" | base64 -d方式一:使用 Token 访问 Kubernetes Dashboard
方式二:使用 Kubeconfig 文件
apt-get install -y jq
CLUSTER_NAME=$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')
CLUSTER_CA_CERT=$(kubectl config view --raw -o json | jq -r ".clusters[] | select(.name == \"$CLUSTER_NAME\") | .cluster.\"certificate-authority-data\"")
API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
TOKEN=$(kubectl -n dev-ns get secret dev-user-token -o jsonpath="{.data.token}" | base64 -d)
cat <<EOF > dev-user-kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${CLUSTER_CA_CERT}
server: ${API_SERVER}
name: ${CLUSTER_NAME}
contexts:
- context:
cluster: ${CLUSTER_NAME}
user: dev-user
namespace: dev-ns
name: dev-user-context
current-context: dev-user-context
kind: Config
preferences: {}
users:
- name: dev-user
user:
token: ${TOKEN}
EOF4.测试
结果:只有dev-ns命名空间的权限,其他命名空间没权限
KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n dev-ns
root@k8s-ms-master:~# KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n dev-ns
No resources found in dev-ns namespace.
root@k8s-ms-master:~# KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev-ns:dev-user" cannot list resource "pods" in API group "" in the namespace "default"
