使用Kuboard管理RBAC

2020-01-14 09:08:06 +08:00
parent 496c6e6690
commit bbcf240c05
25 changed files with 405 additions and 68 deletions
--- a/.vuepress/public/install-script/kuboard-beta.yaml
+++ b/.vuepress/public/install-script/kuboard-beta.yaml
@ -0,0 +1,112 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kuboard
+  namespace: kube-system
+  annotations:
+    k8s.eip.work/displayName: kuboard
+    k8s.eip.work/ingress: "true"
+    k8s.eip.work/service: NodePort
+    k8s.eip.work/workload: kuboard
+  labels:
+    k8s.eip.work/layer: monitor
+    k8s.eip.work/name: kuboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s.eip.work/layer: monitor
+      k8s.eip.work/name: kuboard
+  template:
+    metadata:
+      labels:
+        k8s.eip.work/layer: monitor
+        k8s.eip.work/name: kuboard
+    spec:
+      containers:
+      - name: kuboard
+        image: eipwork/kuboard:beta
+        imagePullPolicy: Always
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kuboard
+  namespace: kube-system
+spec:
+  type: NodePort
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    nodePort: 32567
+  selector:
+    k8s.eip.work/layer: monitor
+    k8s.eip.work/name: kuboard
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kuboard-user
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kuboard-user
+  namespace: kube-system
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kuboard-viewer
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: kuboard-viewer
+  namespace: kube-system
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: kuboard
+  namespace: kube-system
+  annotations:
+    k8s.eip.work/displayName: kuboard
+    k8s.eip.work/workload: kuboard
+    nginx.org/websocket-services: "kuboard"
+    nginx.com/sticky-cookie-services: "serviceName=kuboard srv_id expires=1h path=/"
+spec:
+  rules:
+  - host: kuboard.yourdomain.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: kuboard
+          servicePort: http
--- a/.vuepress/public/install-script/kuboard-offline.yaml
+++ b/.vuepress/public/install-script/kuboard-offline.yaml
@ -95,26 +95,26 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  - kind: ServiceAccount
+    name: kuboard-viewer
+    namespace: kube-system

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'namespaces'
+    - 'nodes'
+    verbs:
+    - 'list'
--- a/.vuepress/public/install-script/kuboard.yaml
+++ b/.vuepress/public/install-script/kuboard.yaml
@ -94,29 +94,29 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  - kind: ServiceAccount
+    name: kuboard-viewer
+    namespace: kube-system

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-subjects:
- kind: ServiceAccount
-  name: kuboard-viewer
-  namespace: kube-system
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'namespaces'
+    - 'nodes'
+    verbs:
+    - 'list'

 ---
 apiVersion: extensions/v1beta1
--- a/.vuepress/public/install-script/refine-kuboard-role.yaml
+++ b/.vuepress/public/install-script/refine-kuboard-role.yaml
@ -0,0 +1,34 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kuboard-viewer:kuboard-minimum-role
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kuboard-minimum-role
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:serviceaccounts
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kuboard-minimum-role
+rules:
+  - apiGroups:
+    - 'rbac.authorization.k8s.io'
+    resources:
+    - 'clusterrolebindings'
+    - 'rolebindings'
+    verbs:
+    - 'list'
+  - apiGroups:
+    - 'rbac.authorization.k8s.io'
+    resources:
+    - 'clusterroles'
+    - 'roles'
+    verbs:
+    - 'get'