使用Kuboard管理RBAC

2020-01-14 09:08:06 +08:00
parent 496c6e6690
commit bbcf240c05
25 changed files with 405 additions and 68 deletions
--- a/.vuepress/components/AdSenseLeftTop.vue
+++ b/.vuepress/components/AdSenseLeftTop.vue
@ -10,6 +10,11 @@
    <script>
        (adsbygoogle = window.adsbygoogle || []).push({});
    </script>
+    <!-- <div>
+      <a @click="$sendGaEvent('ads-nav-top:tencent-cloud', 'ads-nav-top', 'ads-nav-top')" href="https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console" target="_blank">
+        <img style="max-width: 100%;" src="/images/ads/tencent-cloud.jpg"/>
+      </a>
+    </div> -->
  </div>
 </template>

--- a/.vuepress/components/ad-list.js
+++ b/.vuepress/components/ad-list.js
@ -5,7 +5,7 @@ module.exports = [
    strong: '一键离线安装',
    action: '去看看',
    url: 'https://github.com/fanux/sealos',
-    weight: 10
+    weight: 60
  },
  // {
  //   name: '阳明的博客',
@ -23,14 +23,14 @@ module.exports = [
  //   url: 'https://time.geekbang.org/column/intro/100036601?code=0Totv3yN%2FohiumTclUF4ky4qRYs9Ecq6ZK4IdgNf88M%3D',
  //   weight: 1
  // },
-  {
-    name: '腾讯云',
-    description: '腾讯云双十二活动，',
-    strong: '百款云产品一折起',
-    action: '去抢',
-    url: 'https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console',
-    weight: 60
-  },
+  // {
+  //   name: '腾讯云',
+  //   description: '腾讯云双十二活动，',
+  //   strong: '百款云产品一折起',
+  //   action: '去抢',
+  //   url: 'https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console',
+  //   weight: 60
+  // },
  // {
  //   name: '阿里云',
  //   description: '双十二，主会场，',
@ -41,14 +41,14 @@ module.exports = [
  // },
  {
    name: 'Kubetrain',
-    description: 'K8S在线直播培训，首次开班优惠',
+    description: 'K8S在线直播培训，内推机会',
    strong: '不满意可无条件退款',
    action: '现在就去',
    url: 'https://kubetrain.cn/?from=kuboard-ads',
    weight: 60
  },
  {
-    name: '10元直播课',
+    name: '12元直播课',
    description: 'Kubernetes集群安装详解，安装脚本定制',
    strong: '入门起点',
    action: '捧个场',
--- a/.vuepress/config-sidebar.js
+++ b/.vuepress/config-sidebar.js
@ -48,8 +48,15 @@ module.exports = {
        'install-dashboard',
        'install-dashboard-offline',
        'install-dashboard-upgrade',
-        'install-kubectl',
-        'config-kubectl',
+        {
+          title: 'kubectl',
+          collapsable: true,
+          children: [
+            'install-kubectl',
+            'config-kubectl',
+            'install-kubectl-sa',
+          ]
+        },
        'install-k8s-dashboard',
      ]
    },
@ -398,6 +405,7 @@ module.exports = {
          collapsable: true,
          children: [
            'k8s-advanced/sec/sa-admin',
+            'k8s-advanced/sec/kuboard',
            'k8s-advanced/sec/rbac/api',
            'k8s-advanced/sec/rbac/default',
            'k8s-advanced/sec/rbac/escalation',
--- a/.vuepress/config.js
+++ b/.vuepress/config.js
@ -159,7 +159,7 @@ module.exports = {
      { text: '支持', link: '/support/' },
      { text: '培训', link: 'https://kubetrain.cn/?from=kuboard', target: '_blank' },
      // { text: '博客', link: 'http://k8s.kubetrain.cn/' },
-      { text: '论坛', link: 'http://bbs.kuboard.cn/', target: '_blank' },
+      // { text: '论坛', link: 'http://bbs.kuboard.cn/', target: '_blank' },
      // { text: 'DevOps', link: '/devops/' }
    ],
    displayAllHeaders: false,
--- a/.vuepress/public/images/ads/tencent-cloud.jpg
+++ b/.vuepress/public/images/ads/tencent-cloud.jpg
--- a/.vuepress/public/install-script/kuboard-beta.yaml
+++ b/.vuepress/public/install-script/kuboard-beta.yaml
@ -0,0 +1,112 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kuboard
+  namespace: kube-system
+  annotations:
+    k8s.eip.work/displayName: kuboard
+    k8s.eip.work/ingress: "true"
+    k8s.eip.work/service: NodePort
+    k8s.eip.work/workload: kuboard
+  labels:
+    k8s.eip.work/layer: monitor
+    k8s.eip.work/name: kuboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s.eip.work/layer: monitor
+      k8s.eip.work/name: kuboard
+  template:
+    metadata:
+      labels:
+        k8s.eip.work/layer: monitor
+        k8s.eip.work/name: kuboard
+    spec:
+      containers:
+      - name: kuboard
+        image: eipwork/kuboard:beta
+        imagePullPolicy: Always
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kuboard
+  namespace: kube-system
+spec:
+  type: NodePort
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    nodePort: 32567
+  selector:
+    k8s.eip.work/layer: monitor
+    k8s.eip.work/name: kuboard
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kuboard-user
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kuboard-user
+  namespace: kube-system
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kuboard-viewer
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: kuboard-viewer
+  namespace: kube-system
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: kuboard
+  namespace: kube-system
+  annotations:
+    k8s.eip.work/displayName: kuboard
+    k8s.eip.work/workload: kuboard
+    nginx.org/websocket-services: "kuboard"
+    nginx.com/sticky-cookie-services: "serviceName=kuboard srv_id expires=1h path=/"
+spec:
+  rules:
+  - host: kuboard.yourdomain.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: kuboard
+          servicePort: http
--- a/.vuepress/public/install-script/kuboard-offline.yaml
+++ b/.vuepress/public/install-script/kuboard-offline.yaml
@ -95,26 +95,26 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  - kind: ServiceAccount
+    name: kuboard-viewer
+    namespace: kube-system

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'namespaces'
+    - 'nodes'
+    verbs:
+    - 'list'
--- a/.vuepress/public/install-script/kuboard.yaml
+++ b/.vuepress/public/install-script/kuboard.yaml
@ -94,29 +94,29 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  - kind: ServiceAccount
+    name: kuboard-viewer
+    namespace: kube-system

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'namespaces'
+    - 'nodes'
+    verbs:
+    - 'list'

 ---
 apiVersion: extensions/v1beta1
--- a/.vuepress/public/install-script/refine-kuboard-role.yaml
+++ b/.vuepress/public/install-script/refine-kuboard-role.yaml
@ -0,0 +1,34 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-viewer:kuboard-minimum-role
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kuboard-minimum-role
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:serviceaccounts
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - 'rbac.authorization.k8s.io'
+    resources:
+    - 'clusterrolebindings'
+    - 'rolebindings'
+    verbs:
+    - 'list'
+  - apiGroups:
+    - 'rbac.authorization.k8s.io'
+    resources:
+    - 'clusterroles'
+    - 'roles'
+    verbs:
+    - 'get'
--- a/.vuepress/theme/components/Sidebar.vue
+++ b/.vuepress/theme/components/Sidebar.vue
@ -26,9 +26,9 @@
      <!-- <div class="side-nav-item">
        <a href="http://k8s.kubetrain.cn" class="nav-link" target="_blank">博客</a>
      </div> -->
-      <div class="side-nav-item">
+      <!-- <div class="side-nav-item">
        <a href="http://bbs.kuboard.cn" class="nav-link" target="_blank">论坛</a>
-      </div>
+      </div> -->
    </div>
    <slot name="top"/>
    <SidebarLinks :depth="0" :items="items"/>