使用Kuboard管理RBAC

2020-01-14 09:08:06 +08:00
parent 496c6e6690
commit bbcf240c05
25 changed files with 405 additions and 68 deletions
--- a/.vuepress/components/AdSenseLeftTop.vue
+++ b/.vuepress/components/AdSenseLeftTop.vue
@ -10,6 +10,11 @@
    <script>
        (adsbygoogle = window.adsbygoogle || []).push({});
    </script>
    <!-- <div>
      <a @click="$sendGaEvent('ads-nav-top:tencent-cloud', 'ads-nav-top', 'ads-nav-top')" href="https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console" target="_blank">
        <img style="max-width: 100%;" src="/images/ads/tencent-cloud.jpg"/>
      </a>
    </div> -->
  </div>
 </template>
--- a/.vuepress/components/ad-list.js
+++ b/.vuepress/components/ad-list.js
@ -5,7 +5,7 @@ module.exports = [
    strong: '一键离线安装',
    action: '去看看',
    url: 'https://github.com/fanux/sealos',
-    weight: 10
+    weight: 60
  },
  // {
  //   name: '阳明的博客',
@ -23,14 +23,14 @@ module.exports = [
  //   url: 'https://time.geekbang.org/column/intro/100036601?code=0Totv3yN%2FohiumTclUF4ky4qRYs9Ecq6ZK4IdgNf88M%3D',
  //   weight: 1
  // },
-  {
+  // {
-    name: '腾讯云',
+  //   name: '腾讯云',
-    description: '腾讯云双十二活动，',
+  //   description: '腾讯云双十二活动，',
-    strong: '百款云产品一折起',
+  //   strong: '百款云产品一折起',
-    action: '去抢',
+  //   action: '去抢',
-    url: 'https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console',
+  //   url: 'https://cloud.tencent.com/act/cps/redirect?redirect=1052&cps_key=2ee6baa049659f4713ddc55a51314372&from=console',
-    weight: 60
+  //   weight: 60
-  },
+  // },
  // {
  //   name: '阿里云',
  //   description: '双十二，主会场，',
@ -41,14 +41,14 @@ module.exports = [
  // },
  {
    name: 'Kubetrain',
-    description: 'K8S在线直播培训，首次开班优惠',
+    description: 'K8S在线直播培训，内推机会',
    strong: '不满意可无条件退款',
    action: '现在就去',
    url: 'https://kubetrain.cn/?from=kuboard-ads',
    weight: 60
  },
  {
-    name: '10元直播课',
+    name: '12元直播课',
    description: 'Kubernetes集群安装详解，安装脚本定制',
    strong: '入门起点',
    action: '捧个场',
--- a/.vuepress/config-sidebar.js
+++ b/.vuepress/config-sidebar.js
@ -48,8 +48,15 @@ module.exports = {
        'install-dashboard',
        'install-dashboard-offline',
        'install-dashboard-upgrade',
-        'install-kubectl',
+        {
-        'config-kubectl',
+          title: 'kubectl',
          collapsable: true,
          children: [
            'install-kubectl',
            'config-kubectl',
            'install-kubectl-sa',
          ]
        },
        'install-k8s-dashboard',
      ]
    },
@ -398,6 +405,7 @@ module.exports = {
          collapsable: true,
          children: [
            'k8s-advanced/sec/sa-admin',
            'k8s-advanced/sec/kuboard',
            'k8s-advanced/sec/rbac/api',
            'k8s-advanced/sec/rbac/default',
            'k8s-advanced/sec/rbac/escalation',
--- a/.vuepress/config.js
+++ b/.vuepress/config.js
@ -159,7 +159,7 @@ module.exports = {
      { text: '支持', link: '/support/' },
      { text: '培训', link: 'https://kubetrain.cn/?from=kuboard', target: '_blank' },
      // { text: '博客', link: 'http://k8s.kubetrain.cn/' },
-      { text: '论坛', link: 'http://bbs.kuboard.cn/', target: '_blank' },
+      // { text: '论坛', link: 'http://bbs.kuboard.cn/', target: '_blank' },
      // { text: 'DevOps', link: '/devops/' }
    ],
    displayAllHeaders: false,
--- a/.vuepress/public/images/ads/tencent-cloud.jpg
+++ b/.vuepress/public/images/ads/tencent-cloud.jpg
--- a/.vuepress/public/install-script/kuboard-beta.yaml
+++ b/.vuepress/public/install-script/kuboard-beta.yaml
@ -0,0 +1,112 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kuboard
  namespace: kube-system
  annotations:
    k8s.eip.work/displayName: kuboard
    k8s.eip.work/ingress: "true"
    k8s.eip.work/service: NodePort
    k8s.eip.work/workload: kuboard
  labels:
    k8s.eip.work/layer: monitor
    k8s.eip.work/name: kuboard
 spec:
  replicas: 1
  selector:
    matchLabels:
      k8s.eip.work/layer: monitor
      k8s.eip.work/name: kuboard
  template:
    metadata:
      labels:
        k8s.eip.work/layer: monitor
        k8s.eip.work/name: kuboard
    spec:
      containers:
      - name: kuboard
        image: eipwork/kuboard:beta
        imagePullPolicy: Always
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: kuboard
  namespace: kube-system
 spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 32567
  selector:
    k8s.eip.work/layer: monitor
    k8s.eip.work/name: kuboard
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kuboard-user
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kuboard-user
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: kuboard-user
  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kuboard-viewer
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kuboard-viewer
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
 subjects:
 - kind: ServiceAccount
  name: kuboard-viewer
  namespace: kube-system
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: kuboard
  namespace: kube-system
  annotations:
    k8s.eip.work/displayName: kuboard
    k8s.eip.work/workload: kuboard
    nginx.org/websocket-services: "kuboard"
    nginx.com/sticky-cookie-services: "serviceName=kuboard srv_id expires=1h path=/"
 spec:
  rules:
  - host: kuboard.yourdomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kuboard
          servicePort: http
--- a/.vuepress/public/install-script/kuboard-offline.yaml
+++ b/.vuepress/public/install-script/kuboard-offline.yaml
@ -95,26 +95,26 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
+  - kind: ServiceAccount
-  name: kuboard-viewer
+    name: kuboard-viewer
-  namespace: kube-system
+    namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
+  name: kuboard-minimum-role
-roleRef:
+rules:
-  apiGroup: rbac.authorization.k8s.io
+  - apiGroups:
-  kind: ClusterRole
+    - ''
-  name: system:persistent-volume-provisioner
+    resources:
-subjects:
+    - 'namespaces'
- kind: ServiceAccount
+    - 'nodes'
-  name: kuboard-viewer
+    verbs:
-  namespace: kube-system
+    - 'list'
--- a/.vuepress/public/install-script/kuboard.yaml
+++ b/.vuepress/public/install-script/kuboard.yaml
@ -94,29 +94,29 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kuboard-viewer-node
+  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:node
+  name: kuboard-minimum-role
 subjects:
- kind: ServiceAccount
+  - kind: ServiceAccount
-  name: kuboard-viewer
+    name: kuboard-viewer
-  namespace: kube-system
+    namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: kuboard-viewer-pvp
+  name: kuboard-minimum-role
-roleRef:
+rules:
-  apiGroup: rbac.authorization.k8s.io
+  - apiGroups:
-  kind: ClusterRole
+    - ''
-  name: system:persistent-volume-provisioner
+    resources:
-subjects:
+    - 'namespaces'
- kind: ServiceAccount
+    - 'nodes'
-  name: kuboard-viewer
+    verbs:
-  namespace: kube-system
+    - 'list'
 ---
 apiVersion: extensions/v1beta1
--- a/.vuepress/public/install-script/refine-kuboard-role.yaml
+++ b/.vuepress/public/install-script/refine-kuboard-role.yaml
@ -0,0 +1,34 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kuboard-viewer:kuboard-minimum-role
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kuboard-minimum-role
 subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: system:serviceaccounts
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kuboard-minimum-role
 rules:
  - apiGroups:
    - 'rbac.authorization.k8s.io'
    resources:
    - 'clusterrolebindings'
    - 'rolebindings'
    verbs:
    - 'list'
  - apiGroups:
    - 'rbac.authorization.k8s.io'
    resources:
    - 'clusterroles'
    - 'roles'
    verbs:
    - 'get'
--- a/.vuepress/theme/components/Sidebar.vue
+++ b/.vuepress/theme/components/Sidebar.vue
@ -26,9 +26,9 @@
      <!-- <div class="side-nav-item">
        <a href="http://k8s.kubetrain.cn" class="nav-link" target="_blank">博客</a>
      </div> -->
-      <div class="side-nav-item">
+      <!-- <div class="side-nav-item">
        <a href="http://bbs.kuboard.cn" class="nav-link" target="_blank">论坛</a>
-      </div>
+      </div> -->
    </div>
    <slot name="top"/>
    <SidebarLinks :depth="0" :items="items"/>
--- a/install/install-dashboard.md
+++ b/install/install-dashboard.md
@ -47,16 +47,29 @@ Kuboard 是 Kubernetes 的一款图形化管理界面。
 <b-card>
 <b-tabs content-class="mt-3">
-  <b-tab title="安装" active>
+<b-tab title="安装" active>
 安装 Kuboard。
 > 如果您参考 https://kuboard.cn 网站上提供的 Kubernetes 安装文档，可在 master 节点上执行以下命令。
 <b-tabs content-class="mt-3">
 <b-tab title="稳定版">
 ``` sh
 kubectl apply -f https://kuboard.cn/install-script/kuboard.yaml
 ```
 </b-tab>
 <b-tab title="Beta版">
 ``` sh
 kubectl apply -f https://kuboard.cn/install-script/kuboard-beta.yaml
 ```
 </b-tab>
 </b-tabs>
 查看 Kuboard 运行状态：
 ``` sh
@ -70,8 +83,8 @@ kuboard-54c9c4f6cb-6lf88   1/1     Running       0          45s
 ```
 > 如果您一直不能看到 kuboard 处于 Running 状态，可参考 [诊断应用程序](/learning/k8s-advanced/ts/application.html)，查找原因。如不能解决，请到本文页尾加群，联系群主解决。
-  </b-tab>
+</b-tab>
-  <b-tab title="卸载">
+<b-tab title="卸载">
 卸载 Kuboard
@ -79,7 +92,7 @@ kuboard-54c9c4f6cb-6lf88   1/1     Running       0          45s
 kubectl delete -f https://kuboard.cn/install-script/kuboard.yaml
 ```
-  </b-tab>
+</b-tab>
 </b-tabs>
 </b-card>
@ -87,7 +100,8 @@ kubectl delete -f https://kuboard.cn/install-script/kuboard.yaml
 您可以获得管理员用户、只读用户的Token。
-> Kuboard 有计划开发权限设置的功能，在这之前，如果您需要更细粒度的权限控制，请参考 [RBAC Example](/learning/k8s-advanced/sec/rbac/example.html)
+> * 如果您需要更细粒度的权限控制，请参考 [RBAC Example](/learning/k8s-advanced/sec/rbac/example.html)
 > * Kuboard beta 版已经开始支持 RBAC，请参考 [使用Kuboard管理ServiceAccount及RBAC](/learning/k8s-advanced/sec/kuboard.html)
 <b-card>
 <b-tabs content-class="mt-3">
--- a/install/install-k8s.md
+++ b/install/install-k8s.md
@ -25,7 +25,7 @@ meta:
 * 了解何规划自己的集群，并可以结合自己的实际情况对安装脚本做客户化定制
 * 了解快速落地 K8S 的最佳学习路径
-[报名直播课程-详细讲解此安装过程](https://ke.qq.com/course/477593?flowToken=1016935)
+[报名12元直播课程-详细讲解此安装过程](https://ke.qq.com/course/477593?flowToken=1016935)
 也可以在此 [提出对直播课的要求](http://bbs.kuboard.cn/forum.php?mod=viewthread&tid=10)
@ -117,9 +117,9 @@ lscpu
 | 7.7         | <span style="font-size: 24px;">😄</span> | 已验证                              |
 | 7.6         | <span style="font-size: 24px;">😄</span> | 已验证                              |
 | 7.5         | <span style="font-size: 24px;">😞</span> | 已证实会出现 kubelet 无法启动的问题    |
-| 7.4         | <span style="font-size: 24px;">😞</span> | 同上                              |
+| 7.4         | <span style="font-size: 24px;">😞</span> | 已证实会出现 kubelet 无法启动的问题                              |
-| 7.3         | <span style="font-size: 24px;">😞</span> | 同上                              |
+| 7.3         | <span style="font-size: 24px;">😞</span> | 已证实会出现 kubelet 无法启动的问题                              |
-| 7.2         | <span style="font-size: 24px;">😞</span> | 同上                              |
+| 7.2         | <span style="font-size: 24px;">😞</span> | 已证实会出现 kubelet 无法启动的问题                              |
 </div>
  </grid-item>
@ -516,7 +516,7 @@ kubectl delete -f https://kuboard.cn/install-script/v1.17.x/nginx-ingress.yaml
 您已经完成了 Kubernetes 集群的安装，下一步请：
-[报名直播课程-详细讲解此安装过程](https://ke.qq.com/course/477593?flowToken=1016934) 也可以在此 [提出对直播课的要求](http://bbs.kuboard.cn/forum.php?mod=viewthread&tid=10)
+[报名12元直播课程-详细讲解此安装过程](https://ke.qq.com/course/477593?flowToken=1016934) 也可以在此 [提出对直播课的要求](http://bbs.kuboard.cn/forum.php?mod=viewthread&tid=10)
 <span v-on:click="$sendGaEvent('安装后求GitHub Star','安装后求GitHub Star','安装后求GitHub Star')"><a href="https://github.com/eip-work/kuboard-press" target="_blank">点击此处，给个GitHub Star</a></span>
 支持一下吧，<StarCount></StarCount>这么多人都 star 了呢，怎么能少得了您呢？
--- a/install/install-kubectl-sa.md
+++ b/install/install-kubectl-sa.md
@ -0,0 +1,19 @@
 ---
 vssueId: 18
 titlePrefix: 从客户端电脑远程管理Kubernetes
 description: Kubernete安装文档_日常工作中您可能需要在自己的笔记本电脑上执行kubectl命令以管理远程Linux服务器上的Kubernetes集群_本文档介绍了如何从Kuboard中获取kubectl的配置文件
 meta:
  - name: keywords
    content: kubectl,kubectl安装,远程管理Kubernetes,远程管理K8S
 ---
 # 使用ServiceAccount登录kubectl
 <AdSenseTitle/>
 ## 创建 ServiceAccount 并分配权限
 请参考 [使用Kuboard管理ServiceAccount及RBAC](/learning/k8s-advanced/sec/kuboard.html)
 ## 在kubectl中使用ServiceAccount管理集群
--- a/install/install-kubernetes.md
+++ b/install/install-kubernetes.md
@ -63,8 +63,8 @@ kubernetes 安装有多种选择，本文档描述的集群安装具备如下特
 * **在线答疑** 
  <Qq></Qq> 也可以扫描二维码加群
-  <p>
+  <p style="max-width: 160px;">
-    <img src="/images/kuboard_qq.png" alt="Kubernetes教程：QQ群在线答疑"/>
+    <img src="/images/kuboard_qq.png" style="padding: 10px;" alt="Kubernetes教程：QQ群在线答疑"/>
  </p>
 <!-- </div>
@ -515,14 +515,14 @@ kubectl delete node demo-worker-x-x
 ## 安装 Ingress Controller
-> Ingress官方文档：https://kubernetes.io/docs/concepts/services-networking/ingress/
+<!-- > Ingress官方文档：https://kubernetes.io/docs/concepts/services-networking/ingress/
 >
 > Ingress Controllers官网介绍：https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
 >
 > 本文中使用如下部署方式：https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#using-a-self-provisioned-edge
 >
-> kubernetes支持多种Ingress Controllers (traefic / Kong / Istio / Nginx 等)，本文推荐使用 https://github.com/nginxinc/kubernetes-ingress
+> kubernetes支持多种Ingress Controllers (traefic / Kong / Istio / Nginx 等)，本文推荐使用 https://github.com/nginxinc/kubernetes-ingress -->
-
+kubernetes支持多种Ingress Controllers (traefic / Kong / Istio / Nginx 等)，本文推荐使用 https://github.com/nginxinc/kubernetes-ingress
 <b-card>
 <b-tabs content-class="mt-3">
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107220752697.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107220752697.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107220900840.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107220900840.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107221016367.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107221016367.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107221157156.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107221157156.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107221411054.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107221411054.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107221703581.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107221703581.png
--- a/learning/k8s-advanced/sec/kuboard.assets/image-20200107221910036.png
+++ b/learning/k8s-advanced/sec/kuboard.assets/image-20200107221910036.png
--- a/learning/k8s-advanced/sec/kuboard.md
+++ b/learning/k8s-advanced/sec/kuboard.md
@ -0,0 +1,75 @@
 ---
 vssueId: 175
 layout: LearningLayout
 sharingTitle: Kubernetes的RBAC授权从未如此简单
 description: Kubernetes教程_Role-based_access_control_(RBAC)基于角色的访问控制_是Kubernetes中支持的一种授权方式。本文描述了如何使用Kuboard管理RBAC授权规则
 meta:
  - name: keywords
    content: Kubernetes 教程,Kubernetes 授权,Kubernetes RBAC,Kubernetes权限,Service Account Permissions
 ---
 # 使用Kuboard管理ServiceAccount及RBAC
 <AdSenseTitle/>
 首先，确保您已经 [安装了 Kuboard](/install/install-dashboard-upgrade.html) <Badge>Kuboard v1.0.6-beta.3</Badge>，并且使用 [管理员用户](/install/install-dashboard.html#获取token)) 登录Kuboard
 ## 为名称空间创建管理员用户
 ::: tip 用户名密码？
 * 当前只支持 [ServiceAccount](/learning/k8s-advanced/sec/sa-admin.html#user-accounts-vs-service-accounts)
 * 用户名密码（OpenID Connect）的登录方式将在2020年2月提供
 :::
 按照下面的步骤，可以快速为 Kubernetes 中的某个名称空间创建管理用户
 * 进入 Kuboard 名称空间页面，如下图所示：
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107220752697.png)
 * 点击上图中的 ***ServiceAccount*** 按钮，进入 ServiceAccount 列表页面，如下图所示：
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107220900840.png)
 * 点击上图中的 ***创建ServiceAccount*** 按钮，如下图所示：
  填写 **名称** 后，保存 *ServiceAccount*
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107221016367.png)
 * 完成创建后，将自动进入 ServiceAccount 详情页，如下图所示：
  图中，可以看到 Kubernetes 默认为 ServiceAccount 授予的 ***集群级别权限***
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107221157156.png)
 * 点击上图中 ***RoleBinding*** 后的 ***添加*** 按钮，如下图所示：
  并在 ***关联的 ClusterRole/Role*** 选择：
  * kind :  ClusterRole
  * name : admin
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107221411054.png)
 * 点击上图中的 ***保存*** 按钮，完成后如下图所示：
  可以观察到已经为 *admin-user* 这个 *ServiceAccount* 授予了名称空间内部的 *admin* 角色，对应的权限可以在 ***名称空间级别权限*** 中查看
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107221703581.png)
 * 点击上图中的 ***查看Token*** 按钮，如下图所示：
  **此 Token 可以用来登录 Kuboard 界面**
  ![Kubernetes教程_ServiceAccount](./kuboard.assets/image-20200107221910036.png)
 ## 下一步
 [在 kubectl 中使用 ServiceAccount 的 Token 管理 Kubernetes 集群](/install/install-kubectl-sa.html)
--- a/learning/k8s-advanced/sec/rbac/default.md
+++ b/learning/k8s-advanced/sec/rbac/default.md
@ -52,7 +52,7 @@ kubectl get clusterroles system:discovery -o yaml
 * 可通过 ClusterRoleBinding 绑定的集群级别的角色（`cluster-status`）
 * 可通过 RoleBinding 绑定到特定名称空间的角色（`admin`、`edit`、`view`）
-从 Kubernetes 1.9 开始，user-facing roles 使用 [ClusterRole Aggregation](./api.html#aggregated-clusterroles) 以使管理员在其中包含 Custom Resource 的授权规则。想 `admin`、`edit`、`view` 等角色添加授权规则时，可创建一个 ClusterRole，包含一个或多个下述标签即可：
+从 Kubernetes 1.9 开始，user-facing roles 使用 [ClusterRole Aggregation](./api.html#aggregated-clusterroles) 以使管理员在其中包含 Custom Resource 的授权规则。向 `admin`、`edit`、`view` 等角色添加授权规则时，可创建一个 ClusterRole，包含一个或多个下述标签即可：
 ``` yaml
 metadata:
@ -124,4 +124,4 @@ metadata:
 - system:controller:service-account-controller
 - system:controller:service-controller
 - system:controller:statefulset-controller
- system:controller:ttl-controller
+- system:controller:ttl-controller
--- a/support/change-log/change-log-on-the-way.md
+++ b/support/change-log/change-log-on-the-way.md
@ -1,13 +1,22 @@
 Kuboard v1.0.x 的更新说明
-
+## v1.0.6-beta.5
 ## v1.0.6-beta.1
 **新特性**
 * ServiceAccount详情页 --> 使用 ServiceAccount 的 Token 访问 kubectl
-* 工作负载编辑器 --> 容器信息 --> 挂载点 --> 支持subPathExpr
+**优化**
 * ServiceAccount列表页 --> 按名称、标签搜索
 * ServiceAccount详情页 --> 删除ServiceAccount时，同时删除关联的 RoleBinding/ClusterRoleBinding
 **Bug修复**
 * Secret对话框 --> 创建Secret时，不显示内容区
 * 名称空间页 --> StatefulSet如果没有 annotations 时，不能在名称空间页上显示
  * 此问题的具体表现：部分使用 helm 创建的工作负载不能在Kuboard上显示，原因是Deployment、StatefulSet或DaemonSet中没有 annotations 信息
 ------------------
 * 安装文档中，去除 IngressController 的链接
 * 日志界面支持 ctrl + F
 * 更新版本时，可以通过下拉列表选择仓库中的版本号
--- a/support/change-log/v1.0.x.md
+++ b/support/change-log/v1.0.x.md
@ -9,10 +9,71 @@ description: 本文描述了Kuboard_v1.0.x的版本变更说明
 了解如何 [升级Kuboard](/install/install-dashboard-upgrade.html)
-eipwork/kuboard:latest 当前对应的版本是 kuboard v1.0.5.4
+* eipwork/kuboard:<span style="font-weight: 800; color: #007af5">latest</span> 当前对应的版本是 kuboard <span style="font-weight: 800; color: #007af5">v1.0.5.4</span>
 * eipwork/kuboard:<span style="font-weight: 800; color: #42b983">beta</span> 当前对应的版本是 kuboard <span style="font-weight: 800; color: #42b983">v1.0.6-beta.3</span>
 Kuboard v1.0.x 的更新说明
 ## v1.0.6-beta.4
 **新特性**
 * 按条件查询ClusterRole列表
 * 创建ClusterRole
 **优化**
 * 根据当前用户的权限决定是否显示创建ClusterRoleBinding
 **Bug修复**
 * 删除对象窗口 --> 部分情况下，确认按钮不能点击
 * 集群概览页 --> 在部分情况下布局不正常
 ## v1.0.6-beta.3
 **发布日期**
 2020年1月7日
 **新特性**
 * 查看当前登录用户的信息及权限
 **优化**
 * 登录界面 --> 如果用户不能查看名称空间列表，则跳过集群概览页面直接进入其所在的名称空间
 * 登录界面 --> 校验 Token 时使用 selfsubjectaccessreviews 接口，而不是 nodes 接口，以符合最小授权原则
 * ServiceAccount列表页及详情页 --> 根据当前登录用户的访问规则显示对应的操作按钮
 ## v1.0.6-beta.2
 **发布日期**
 2020年1月6日
 **新特性**
 * 可以创建 ServiceAccount，并为其分配 ClusterRole/Role
  * ServiceAccount --> 创建/删除 ServiceAccount
  * ServiceAccount --> ClusterRoleBinding --> 绑定到ClusterRole/Role
  * ClusterRole 详细信息 --> ClusterRoleBinding/RoleBinding --> 绑定到 ServiceAccount
  * Role 详细信息 --> RoleBinding --> 绑定到 ServiceAccount
 * 可以使用自建的 ServiceAccount 登陆 Kuboard
  * 登陆界面 --> 输入Token后，显示 ServiceAccountName
  * 页头 --> 显示当前登陆用户名
 ## v1.0.6-beta.1
 **发布日期**
 2020年1月5日
 **新特性**
 * 工作负载编辑器 --> 容器信息 --> 挂载点 --> 支持subPathExpr
 * 名称空间 --> ServiceAccount --> 列表
 * 名称空间 --> ServiceAccount --> 查看详情及修改 ClusterRoleBinding/RoleBinding
 **BUG修复**
 * 删除对象 --> 再次打开删除对象的对话框时，确认对象名称的输入框包含了上次删除的对象的名称
 ## v1.0.5.4
 **发布日期**