Permission Manager

Permission Manager是一個(gè)為Kubernetes RBAC和用戶管理提供Web UI的項(xiàng)目魄咕，為Kubernetes權(quán)限管理提供友好的可視化界面赊抖。

安裝

從 https://github.com/sighupio/permission-manager/tree/master/deployments/kubernetes 把yaml文件下載下來(lái),如下

[root@qd01-stop-k8s-master001 kubernetes]# ll
total 4
-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml
drwxr-xr-x 2 root root   37 Jan 28 11:14 seeds

創(chuàng)建namespace

[root@qd01-stop-k8s-master001 kubernetes]# kubectl create namespace permission-manager
namespace/permission-manager created

創(chuàng)建秘密并進(jìn)行相應(yīng)更新

[rancher@qd01-stop-k8snode011 permission-manager]$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: permission-manager
  namespace: permission-manager
type: Opaque
stringData:
  PORT: "4000" # port where server is exposed
  CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file
  CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file
  BASIC_AUTH_PASSWORD: "k8sAdmin" # password used by basic auth (username is `admin`)

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f secret.yaml
secret/permission-manager created

部署

[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f crd.yml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created

[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f seed.yml
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created


[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f deploy.yml
service/permission-manager created
deployment.apps/permission-manager created
serviceaccount/permission-manager created
clusterrole.rbac.authorization.k8s.io/permission-manager created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/permission-manager created

以上就把permission-manager部署好了，Warning信息可忽略或者自行修改yaml文件中api版本為rbac.authorization.k8s.io/v1

使用ingress暴露服務(wù)

創(chuàng)建ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: permission-manager-ingress
  namespace: permission-manager
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: permission.ieasou.cn
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: permission-manager
            port:
              number: 4000

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f ingress.yaml
[root@qd01-stop-k8s-master001 kubernetes]# kubectl get ing -n permission-manager
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME                         CLASS    HOSTS                  ADDRESS                     PORTS   AGE
permission-manager-ingress   <none>   permission.ieasou.cn   10.26.29.202,10.26.29.203   80      4m8s

自行添加dns解析，然后瀏覽器訪問(wèn)permission.ieasou.cn陈轿，使用用戶名密碼（在secret中設(shè)置的）登錄

登錄

image.png

目前沒(méi)有任何的用戶吝羞，我們可以創(chuàng)建一個(gè)普通用戶測(cè)試下

創(chuàng)建用戶

點(diǎn)擊Create New User

image.png

填寫相關(guān)信息

image.png

然后點(diǎn)擊Save即可
在用戶信息下可以查看生成的config文件

image.png

測(cè)試

保存config文件，然后使用這個(gè)配置文件訪問(wèn)集群
我這里把config文件拷貝到本地了讨，重命名為scofield,使用kubectl測(cè)試

[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield  get po
No resources found in default namespace.

[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield  get po -n argo
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "" in the namespace "argo"

從以上輸出可以看出捻激，我分別查詢的兩個(gè)namespace,分別是default和argo,但是只有default這個(gè)命名空間有權(quán)限制轰，而argo這個(gè)命名空間是沒(méi)有權(quán)限操作的。這跟我們?cè)趧?chuàng)建用戶是賦予的權(quán)限是一致的胞谭。
更多信息請(qǐng)查看官網(wǎng)