2184 lines
136 KiB
HTML
2184 lines
136 KiB
HTML
|
||
<!DOCTYPE HTML>
|
||
<html lang="zh-cn" >
|
||
<head>
|
||
<meta charset="UTF-8">
|
||
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
|
||
<title>3.3.5 RBAC——基于角色的访问控制 · Kubernetes Handbook</title>
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
|
||
<meta name="description" content="">
|
||
<meta name="generator" content="GitBook 3.2.2">
|
||
<meta name="author" content="Jimmy Song">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/style.css">
|
||
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-splitter/splitter.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-page-toc-button/plugin.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-image-captions/image-captions.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-page-footer-ex/style/plugin.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-search-plus/search.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-highlight/website.css">
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="../gitbook/gitbook-plugin-fontsettings/website.css">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta name="HandheldFriendly" content="true"/>
|
||
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
|
||
<meta name="apple-mobile-web-app-capable" content="yes">
|
||
<meta name="apple-mobile-web-app-status-bar-style" content="black">
|
||
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
|
||
<link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
|
||
|
||
|
||
<link rel="next" href="access-kubernetes-cluster.html" />
|
||
|
||
|
||
<link rel="prev" href="kubectl-user-authentication-authorization.html" />
|
||
|
||
|
||
</head>
|
||
<body>
|
||
|
||
<div class="book">
|
||
<div class="book-summary">
|
||
|
||
|
||
<div id="book-search-input" role="search">
|
||
<input type="text" placeholder="輸入並搜尋" />
|
||
</div>
|
||
|
||
|
||
<nav role="navigation">
|
||
|
||
|
||
|
||
<ul class="summary">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<li class="chapter " data-level="1.1" data-path="../">
|
||
|
||
<a href="../">
|
||
|
||
|
||
1. 前言
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2" data-path="../concepts/">
|
||
|
||
<a href="../concepts/">
|
||
|
||
|
||
2. 概念原理
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.2.1" data-path="../concepts/concepts.html">
|
||
|
||
<a href="../concepts/concepts.html">
|
||
|
||
|
||
2.1 设计理念
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2" data-path="../concepts/objects.html">
|
||
|
||
<a href="../concepts/objects.html">
|
||
|
||
|
||
2.2 Objects
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.2.2.1" data-path="../concepts/pod-overview.html">
|
||
|
||
<a href="../concepts/pod-overview.html">
|
||
|
||
|
||
2.2.1 Pod
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.2.2.1.1" data-path="../concepts/pod.html">
|
||
|
||
<a href="../concepts/pod.html">
|
||
|
||
|
||
2.2.1.1 Pod解析
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.1.2" data-path="../concepts/init-containers.html">
|
||
|
||
<a href="../concepts/init-containers.html">
|
||
|
||
|
||
2.2.1.2 Init容器
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.1.3" data-path="../concepts/pod-security-policy.html">
|
||
|
||
<a href="../concepts/pod-security-policy.html">
|
||
|
||
|
||
2.2.1.3 Pod安全策略
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.2" data-path="../concepts/node.html">
|
||
|
||
<a href="../concepts/node.html">
|
||
|
||
|
||
2.2.2 Node
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.3" data-path="../concepts/namespace.html">
|
||
|
||
<a href="../concepts/namespace.html">
|
||
|
||
|
||
2.2.3 Namespace
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.4" data-path="../concepts/service.html">
|
||
|
||
<a href="../concepts/service.html">
|
||
|
||
|
||
2.2.4 Service
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.5" data-path="../concepts/volume.html">
|
||
|
||
<a href="../concepts/volume.html">
|
||
|
||
|
||
2.2.5 Volume和Persistent Volume
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.6" data-path="../concepts/deployment.html">
|
||
|
||
<a href="../concepts/deployment.html">
|
||
|
||
|
||
2.2.6 Deployment
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.7" data-path="../concepts/secret.html">
|
||
|
||
<a href="../concepts/secret.html">
|
||
|
||
|
||
2.2.7 Secret
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.8" data-path="../concepts/statefulset.html">
|
||
|
||
<a href="../concepts/statefulset.html">
|
||
|
||
|
||
2.2.8 StatefulSet
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.9" data-path="../concepts/daemonset.html">
|
||
|
||
<a href="../concepts/daemonset.html">
|
||
|
||
|
||
2.2.9 DaemonSet
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.10" data-path="../concepts/serviceaccount.html">
|
||
|
||
<a href="../concepts/serviceaccount.html">
|
||
|
||
|
||
2.2.10 ServiceAccount
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.11" data-path="../concepts/replicaset.html">
|
||
|
||
<a href="../concepts/replicaset.html">
|
||
|
||
|
||
2.2.11 ReplicationController和ReplicaSet
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.12" data-path="../concepts/job.html">
|
||
|
||
<a href="../concepts/job.html">
|
||
|
||
|
||
2.2.12 Job
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.13" data-path="../concepts/cronjob.html">
|
||
|
||
<a href="../concepts/cronjob.html">
|
||
|
||
|
||
2.2.13 CronJob
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.14" data-path="../concepts/ingress.html">
|
||
|
||
<a href="../concepts/ingress.html">
|
||
|
||
|
||
2.2.14 Ingress
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.15" data-path="../concepts/configmap.html">
|
||
|
||
<a href="../concepts/configmap.html">
|
||
|
||
|
||
2.2.15 ConfigMap
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.16" data-path="../concepts/horizontal-pod-autoscaling.html">
|
||
|
||
<a href="../concepts/horizontal-pod-autoscaling.html">
|
||
|
||
|
||
2.2.16 Horizontal Pod Autoscaling
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.17" data-path="../concepts/label.html">
|
||
|
||
<a href="../concepts/label.html">
|
||
|
||
|
||
2.2.17 Label
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.18" data-path="../concepts/garbage-collection.html">
|
||
|
||
<a href="../concepts/garbage-collection.html">
|
||
|
||
|
||
2.2.18 垃圾收集
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.2.2.19" data-path="../concepts/network-policy.html">
|
||
|
||
<a href="../concepts/network-policy.html">
|
||
|
||
|
||
2.2.19 NetworkPolicy
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3" data-path="./">
|
||
|
||
<a href="./">
|
||
|
||
|
||
3. 用户指南
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.1" data-path="resource-configuration.html">
|
||
|
||
<a href="resource-configuration.html">
|
||
|
||
|
||
3.1 资源配置
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.1.1" data-path="configure-liveness-readiness-probes.html">
|
||
|
||
<a href="configure-liveness-readiness-probes.html">
|
||
|
||
|
||
3.1.1 配置Pod的liveness和readiness探针
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.1.2" data-path="configure-pod-service-account.html">
|
||
|
||
<a href="configure-pod-service-account.html">
|
||
|
||
|
||
3.1.2 配置Pod的Service Account
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.2" data-path="command-usage.html">
|
||
|
||
<a href="command-usage.html">
|
||
|
||
|
||
3.2 命令使用
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.2.1" data-path="using-kubectl.html">
|
||
|
||
<a href="using-kubectl.html">
|
||
|
||
|
||
3.2.1 使用kubectl
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.3" data-path="cluster-management.html">
|
||
|
||
<a href="cluster-management.html">
|
||
|
||
|
||
3.3 集群管理
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.3.1" data-path="managing-tls-in-a-cluster.html">
|
||
|
||
<a href="managing-tls-in-a-cluster.html">
|
||
|
||
|
||
3.3.1 管理集群中的TLS
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.3.2" data-path="kubelet-authentication-authorization.html">
|
||
|
||
<a href="kubelet-authentication-authorization.html">
|
||
|
||
|
||
3.3.2 kubelet的认证授权
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.3.3" data-path="tls-bootstrapping.html">
|
||
|
||
<a href="tls-bootstrapping.html">
|
||
|
||
|
||
3.3.3 TLS bootstrap
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.3.4" data-path="kubectl-user-authentication-authorization.html">
|
||
|
||
<a href="kubectl-user-authentication-authorization.html">
|
||
|
||
|
||
3.3.4 kubectl的用户认证授权
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter active" data-level="1.3.3.5" data-path="rbac.html">
|
||
|
||
<a href="rbac.html">
|
||
|
||
|
||
3.3.5 RBAC——基于角色的访问控制
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.4" data-path="access-kubernetes-cluster.html">
|
||
|
||
<a href="access-kubernetes-cluster.html">
|
||
|
||
|
||
3.4 访问 Kubernetes 集群
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.4.1" data-path="access-cluster.html">
|
||
|
||
<a href="access-cluster.html">
|
||
|
||
|
||
3.4.1 访问集群
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.4.2" data-path="authenticate-across-clusters-kubeconfig.html">
|
||
|
||
<a href="authenticate-across-clusters-kubeconfig.html">
|
||
|
||
|
||
3.4.2 使用 kubeconfig 文件配置跨集群认证
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.4.3" data-path="connecting-to-applications-port-forward.html">
|
||
|
||
<a href="connecting-to-applications-port-forward.html">
|
||
|
||
|
||
3.4.3 通过端口转发访问集群中的应用程序
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.4.4" data-path="service-access-application-cluster.html">
|
||
|
||
<a href="service-access-application-cluster.html">
|
||
|
||
|
||
3.4.4 使用 service 访问群集中的应用程序
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.5" data-path="application-development-deployment-flow.html">
|
||
|
||
<a href="application-development-deployment-flow.html">
|
||
|
||
|
||
3.5 在kubernetes中开发部署应用
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.3.5.1" data-path="deploy-applications-in-kubernetes.html">
|
||
|
||
<a href="deploy-applications-in-kubernetes.html">
|
||
|
||
|
||
3.5.1 适用于kubernetes的应用开发部署流程
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.3.5.2" data-path="migrating-hadoop-yarn-to-kubernetes.html">
|
||
|
||
<a href="migrating-hadoop-yarn-to-kubernetes.html">
|
||
|
||
|
||
3.5.2 迁移传统应用到kubernetes中——以Hadoop YARN为例
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4" data-path="../practice/">
|
||
|
||
<a href="../practice/">
|
||
|
||
|
||
4. 最佳实践
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.1" data-path="../practice/install-kbernetes1.6-on-centos.html">
|
||
|
||
<a href="../practice/install-kbernetes1.6-on-centos.html">
|
||
|
||
|
||
4.1 在CentOS上部署kubernetes1.6集群
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.1.1" data-path="../practice/create-tls-and-secret-key.html">
|
||
|
||
<a href="../practice/create-tls-and-secret-key.html">
|
||
|
||
|
||
4.1.1 创建TLS证书和秘钥
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.2" data-path="../practice/create-kubeconfig.html">
|
||
|
||
<a href="../practice/create-kubeconfig.html">
|
||
|
||
|
||
4.1.2 创建kubeconfig文件
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.3" data-path="../practice/etcd-cluster-installation.html">
|
||
|
||
<a href="../practice/etcd-cluster-installation.html">
|
||
|
||
|
||
4.1.3 创建高可用etcd集群
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.4" data-path="../practice/kubectl-installation.html">
|
||
|
||
<a href="../practice/kubectl-installation.html">
|
||
|
||
|
||
4.1.4 安装kubectl命令行工具
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.5" data-path="../practice/master-installation.html">
|
||
|
||
<a href="../practice/master-installation.html">
|
||
|
||
|
||
4.1.5 部署master节点
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.6" data-path="../practice/node-installation.html">
|
||
|
||
<a href="../practice/node-installation.html">
|
||
|
||
|
||
4.1.6 部署node节点
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.7" data-path="../practice/kubedns-addon-installation.html">
|
||
|
||
<a href="../practice/kubedns-addon-installation.html">
|
||
|
||
|
||
4.1.7 安装kubedns插件
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.8" data-path="../practice/dashboard-addon-installation.html">
|
||
|
||
<a href="../practice/dashboard-addon-installation.html">
|
||
|
||
|
||
4.1.8 安装dashboard插件
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.9" data-path="../practice/heapster-addon-installation.html">
|
||
|
||
<a href="../practice/heapster-addon-installation.html">
|
||
|
||
|
||
4.1.9 安装heapster插件
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.1.10" data-path="../practice/efk-addon-installation.html">
|
||
|
||
<a href="../practice/efk-addon-installation.html">
|
||
|
||
|
||
4.1.10 安装EFK插件
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.2" data-path="../practice/service-discovery-and-loadbalancing.html">
|
||
|
||
<a href="../practice/service-discovery-and-loadbalancing.html">
|
||
|
||
|
||
4.2 服务发现与负载均衡
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.2.1" data-path="../practice/traefik-ingress-installation.html">
|
||
|
||
<a href="../practice/traefik-ingress-installation.html">
|
||
|
||
|
||
4.2.1 安装Traefik ingress
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.2.2" data-path="../practice/distributed-load-test.html">
|
||
|
||
<a href="../practice/distributed-load-test.html">
|
||
|
||
|
||
4.2.2 分布式负载测试
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.2.3" data-path="../practice/network-and-cluster-perfermance-test.html">
|
||
|
||
<a href="../practice/network-and-cluster-perfermance-test.html">
|
||
|
||
|
||
4.2.3 网络和集群性能测试
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.2.4" data-path="../practice/edge-node-configuration.html">
|
||
|
||
<a href="../practice/edge-node-configuration.html">
|
||
|
||
|
||
4.2.4 边缘节点配置
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3" data-path="../practice/operation.html">
|
||
|
||
<a href="../practice/operation.html">
|
||
|
||
|
||
4.3 运维管理
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.3.1" data-path="../practice/service-rolling-update.html">
|
||
|
||
<a href="../practice/service-rolling-update.html">
|
||
|
||
|
||
4.3.1 服务滚动升级
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.2" data-path="../practice/app-log-collection.html">
|
||
|
||
<a href="../practice/app-log-collection.html">
|
||
|
||
|
||
4.3.2 应用日志收集
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.3" data-path="../practice/configuration-best-practice.html">
|
||
|
||
<a href="../practice/configuration-best-practice.html">
|
||
|
||
|
||
4.3.3 配置最佳实践
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.4" data-path="../practice/monitor.html">
|
||
|
||
<a href="../practice/monitor.html">
|
||
|
||
|
||
4.3.4 集群及应用监控
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.5" data-path="../practice/jenkins-ci-cd.html">
|
||
|
||
<a href="../practice/jenkins-ci-cd.html">
|
||
|
||
|
||
4.3.5 使用Jenkins进行持续构建与发布
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.6" data-path="../practice/data-persistence-problem.html">
|
||
|
||
<a href="../practice/data-persistence-problem.html">
|
||
|
||
|
||
4.3.6 数据持久化问题
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.3.7" data-path="../practice/manage-compute-resources-container.html">
|
||
|
||
<a href="../practice/manage-compute-resources-container.html">
|
||
|
||
|
||
4.3.7 管理容器的计算资源
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.4" data-path="../practice/storage.html">
|
||
|
||
<a href="../practice/storage.html">
|
||
|
||
|
||
4.4 存储管理
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.4.1" data-path="../practice/glusterfs.html">
|
||
|
||
<a href="../practice/glusterfs.html">
|
||
|
||
|
||
4.4.1 GlusterFS
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.4.1.1" data-path="../practice/using-glusterfs-for-persistent-storage.html">
|
||
|
||
<a href="../practice/using-glusterfs-for-persistent-storage.html">
|
||
|
||
|
||
4.4.1.1 使用GlusterFS做持久化存储
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.4.1.2" data-path="../practice/storage-for-containers-using-glusterfs-with-openshift.html">
|
||
|
||
<a href="../practice/storage-for-containers-using-glusterfs-with-openshift.html">
|
||
|
||
|
||
4.4.1.2 在OpenShift中使用GlusterFS做持久化存储
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.4.4.2" data-path="../practice/cephfs.html">
|
||
|
||
<a href="../practice/cephfs.html">
|
||
|
||
|
||
4.4.2 CephFS
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.4.4.2.1" data-path="../practice/using-ceph-for-persistent-storage.html">
|
||
|
||
<a href="../practice/using-ceph-for-persistent-storage.html">
|
||
|
||
|
||
4.4.2.1 使用Ceph做持久化存储
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5" data-path="../usecases/">
|
||
|
||
<a href="../usecases/">
|
||
|
||
|
||
5. 领域应用
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.5.1" data-path="../usecases/microservices.html">
|
||
|
||
<a href="../usecases/microservices.html">
|
||
|
||
|
||
5.1 微服务架构
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.5.1.1" data-path="../usecases/istio.html">
|
||
|
||
<a href="../usecases/istio.html">
|
||
|
||
|
||
5.1.1 Istio
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.5.1.1.1" data-path="../usecases/istio-installation.html">
|
||
|
||
<a href="../usecases/istio-installation.html">
|
||
|
||
|
||
5.1.1.1 安装istio
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.1.1.2" data-path="../usecases/configuring-request-routing.html">
|
||
|
||
<a href="../usecases/configuring-request-routing.html">
|
||
|
||
|
||
5.1.1.2 配置请求的路由规则
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.1.2" data-path="../usecases/linkerd.html">
|
||
|
||
<a href="../usecases/linkerd.html">
|
||
|
||
|
||
5.1.2 Linkerd
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.5.1.2.1" data-path="../usecases/linkerd-user-guide.html">
|
||
|
||
<a href="../usecases/linkerd-user-guide.html">
|
||
|
||
|
||
5.1.2.1 Linkerd 使用指南
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.1.3" data-path="../usecases/service-discovery-in-microservices.html">
|
||
|
||
<a href="../usecases/service-discovery-in-microservices.html">
|
||
|
||
|
||
5.1.3 微服务中的服务发现
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.2" data-path="../usecases/big-data.html">
|
||
|
||
<a href="../usecases/big-data.html">
|
||
|
||
|
||
5.2 大数据
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.5.2.1" data-path="../usecases/spark-standalone-on-kubernetes.html">
|
||
|
||
<a href="../usecases/spark-standalone-on-kubernetes.html">
|
||
|
||
|
||
5.2.1 Spark standalone on Kubernetes
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.2.2" data-path="../usecases/support-spark-natively-in-kubernetes.html">
|
||
|
||
<a href="../usecases/support-spark-natively-in-kubernetes.html">
|
||
|
||
|
||
5.2.2 运行支持kubernetes原生调度的Spark程序
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.5.3" data-path="../usecases/serverless.html">
|
||
|
||
<a href="../usecases/serverless.html">
|
||
|
||
|
||
5.3 Serverless架构
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.6" data-path="../develop/">
|
||
|
||
<a href="../develop/">
|
||
|
||
|
||
6. 开发指南
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.6.1" data-path="../develop/developing-environment.html">
|
||
|
||
<a href="../develop/developing-environment.html">
|
||
|
||
|
||
6.1 开发环境搭建
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.6.2" data-path="../develop/testing.html">
|
||
|
||
<a href="../develop/testing.html">
|
||
|
||
|
||
6.2 单元测试和集成测试
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.6.3" data-path="../develop/client-go-sample.html">
|
||
|
||
<a href="../develop/client-go-sample.html">
|
||
|
||
|
||
6.3 client-go示例
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.6.4" data-path="../develop/contribute.html">
|
||
|
||
<a href="../develop/contribute.html">
|
||
|
||
|
||
6.4 社区贡献
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.7" data-path="../appendix/">
|
||
|
||
<a href="../appendix/">
|
||
|
||
|
||
7. 附录
|
||
|
||
</a>
|
||
|
||
|
||
|
||
<ul class="articles">
|
||
|
||
|
||
<li class="chapter " data-level="1.7.1" data-path="../appendix/docker-best-practice.html">
|
||
|
||
<a href="../appendix/docker-best-practice.html">
|
||
|
||
|
||
7.1 Docker最佳实践
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.7.2" data-path="../appendix/issues.html">
|
||
|
||
<a href="../appendix/issues.html">
|
||
|
||
|
||
7.2 问题记录
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
<li class="chapter " data-level="1.7.3" data-path="../appendix/tricks.html">
|
||
|
||
<a href="../appendix/tricks.html">
|
||
|
||
|
||
7.3 使用技巧
|
||
|
||
</a>
|
||
|
||
|
||
|
||
</li>
|
||
|
||
|
||
</ul>
|
||
|
||
</li>
|
||
|
||
|
||
|
||
|
||
<li class="divider"></li>
|
||
|
||
<li>
|
||
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
|
||
本書使用 GitBook 釋出
|
||
</a>
|
||
</li>
|
||
</ul>
|
||
|
||
|
||
</nav>
|
||
|
||
|
||
</div>
|
||
|
||
<div class="book-body">
|
||
|
||
<div class="body-inner">
|
||
|
||
|
||
|
||
<div class="book-header" role="navigation">
|
||
|
||
|
||
<!-- Title -->
|
||
<h1>
|
||
<i class="fa fa-circle-o-notch fa-spin"></i>
|
||
<a href=".." >3.3.5 RBAC——基于角色的访问控制</a>
|
||
</h1>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<div class="page-wrapper" tabindex="-1" role="main">
|
||
<div class="page-inner">
|
||
|
||
<div class="search-plus" id="book-search-results">
|
||
<div class="search-noresults">
|
||
|
||
<section class="normal markdown-section">
|
||
|
||
<h1 id="rbac——基于角色的访问控制">RBAC——基于角色的访问控制</h1>
|
||
<p>以下内容是 <a href="https://github.com/xingzhou" target="_blank">xingzhou</a> 对 kubernetes 官方文档的翻译,原文地址 <a href="https://k8smeetup.github.io/docs/admin/authorization/rbac/" target="_blank">https://k8smeetup.github.io/docs/admin/authorization/rbac/</a></p>
|
||
<p>基于角色的访问控制(Role-Based Access Control, 即”RBAC”)使用”rbac.authorization.k8s.io” API Group实现授权决策,允许管理员通过Kubernetes API动态配置策略。</p>
|
||
<p>截至Kubernetes 1.6,RBAC模式处于beta版本。</p>
|
||
<p>要启用RBAC,请使用<code>--authorization-mode=RBAC</code>启动API Server。</p>
|
||
<h2 id="api概述">API概述</h2>
|
||
<p>本节将介绍RBAC API所定义的四种顶级类型。用户可以像使用其他Kubernetes API资源一样 (例如通过<code>kubectl</code>、API调用等)与这些资源进行交互。例如,命令<code>kubectl create -f (resource).yml</code> 可以被用于以下所有的例子,当然,读者在尝试前可能需要先阅读以下相关章节的内容。</p>
|
||
<h3 id="role与clusterrole">Role与ClusterRole</h3>
|
||
<p>在RBAC API中,一个角色包含了一套表示一组权限的规则。 权限以纯粹的累加形式累积(没有”否定”的规则)。 角色可以由名字空间(namespace)内的<code>Role</code>对象定义,而整个Kubernetes集群范围内有效的角色则通过<code>ClusterRole</code>对象实现。</p>
|
||
<p>一个<code>Role</code>对象只能用于授予对某一单一名字空间中资源的访问权限。 以下示例描述了”default”名字空间中的一个<code>Role</code>对象的定义,用于授予对pod的读访问权限:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">kind:</span> Role
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> namespace:</span> default
|
||
<span class="hljs-attr"> name:</span> pod-reader
|
||
<span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>] <span class="hljs-comment"># 空字符串""表明使用core API group</span>
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"pods"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"watch"</span>, <span class="hljs-string">"list"</span>]
|
||
</code></pre>
|
||
<p><code>ClusterRole</code>对象可以授予与<code>Role</code>对象相同的权限,但由于它们属于集群范围对象, 也可以使用它们授予对以下几种资源的访问权限:</p>
|
||
<ul>
|
||
<li>集群范围资源(例如节点,即node)</li>
|
||
<li>非资源类型endpoint(例如”/healthz”)</li>
|
||
<li>跨所有名字空间的名字空间范围资源(例如pod,需要运行命令<code>kubectl get pods --all-namespaces</code>来查询集群中所有的pod)</li>
|
||
</ul>
|
||
<p>下面示例中的<code>ClusterRole</code>定义可用于授予用户对某一特定名字空间,或者所有名字空间中的secret(取决于其<a href="https://k8smeetup.github.io/docs/admin/authorization/rbac/#rolebinding-and-clusterrolebinding" target="_blank">绑定</a>方式)的读访问权限:</p>
|
||
<pre><code class="lang-Yaml"><span class="hljs-attr">kind:</span> ClusterRole
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-comment"># 鉴于ClusterRole是集群范围对象,所以这里不需要定义"namespace"字段</span>
|
||
<span class="hljs-attr"> name:</span> secret-reader
|
||
<span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"secrets"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"watch"</span>, <span class="hljs-string">"list"</span>]
|
||
</code></pre>
|
||
<h3 id="rolebinding与clusterrolebinding">RoleBinding与ClusterRoleBinding</h3>
|
||
<p>角色绑定将一个角色中定义的各种权限授予一个或者一组用户。 角色绑定包含了一组相关主体(即subject, 包括用户——User、用户组——Group、或者服务账户——Service Account)以及对被授予角色的引用。 在名字空间中可以通过<code>RoleBinding</code>对象授予权限,而集群范围的权限授予则通过<code>ClusterRoleBinding</code>对象完成。</p>
|
||
<p><code>RoleBinding</code>可以引用在同一名字空间内定义的<code>Role</code>对象。 下面示例中定义的<code>RoleBinding</code>对象在”default”名字空间中将”pod-reader”角色授予用户”jane”。 这一授权将允许用户”jane”从”default”名字空间中读取pod。</p>
|
||
<pre><code class="lang-Yaml"><span class="hljs-comment"># 以下角色绑定定义将允许用户"jane"从"default"名字空间中读取pod。</span>
|
||
<span class="hljs-attr">kind:</span> RoleBinding
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> name:</span> read-pods
|
||
<span class="hljs-attr"> namespace:</span> default
|
||
<span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> User
|
||
<span class="hljs-attr"> name:</span> jane
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr">roleRef:</span>
|
||
<span class="hljs-attr"> kind:</span> Role
|
||
<span class="hljs-attr"> name:</span> pod-reader
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p><code>RoleBinding</code>对象也可以引用一个<code>ClusterRole</code>对象用于在<code>RoleBinding</code>所在的名字空间内授予用户对所引用的<code>ClusterRole</code>中 定义的名字空间资源的访问权限。这一点允许管理员在整个集群范围内首先定义一组通用的角色,然后再在不同的名字空间中复用这些角色。</p>
|
||
<p>例如,尽管下面示例中的<code>RoleBinding</code>引用的是一个<code>ClusterRole</code>对象,但是用户”dave”(即角色绑定主体)还是只能读取”development” 名字空间中的secret(即<code>RoleBinding</code>所在的名字空间)。</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-comment"># 以下角色绑定允许用户"dave"读取"development"名字空间中的secret。</span>
|
||
<span class="hljs-attr">kind:</span> RoleBinding
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> name:</span> read-secrets
|
||
<span class="hljs-attr"> namespace:</span> development <span class="hljs-comment"># 这里表明仅授权读取"development"名字空间中的资源。</span>
|
||
<span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> User
|
||
<span class="hljs-attr"> name:</span> dave
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr">roleRef:</span>
|
||
<span class="hljs-attr"> kind:</span> ClusterRole
|
||
<span class="hljs-attr"> name:</span> secret-reader
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>最后,可以使用<code>ClusterRoleBinding</code>在集群级别和所有名字空间中授予权限。下面示例中所定义的<code>ClusterRoleBinding</code> 允许在用户组”manager”中的任何用户都可以读取集群中任何名字空间中的secret。</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-comment"># 以下`ClusterRoleBinding`对象允许在用户组"manager"中的任何用户都可以读取集群中任何名字空间中的secret。</span>
|
||
<span class="hljs-attr">kind:</span> ClusterRoleBinding
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> name:</span> read-secrets-global
|
||
<span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> manager
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr">roleRef:</span>
|
||
<span class="hljs-attr"> kind:</span> ClusterRole
|
||
<span class="hljs-attr"> name:</span> secret-reader
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<h3 id="对资源的引用">对资源的引用</h3>
|
||
<p>大多数资源由代表其名字的字符串表示,例如”pods”,就像它们出现在相关API endpoint的URL中一样。然而,有一些Kubernetes API还 包含了”子资源”,比如pod的logs。在Kubernetes中,pod logs endpoint的URL格式为:</p>
|
||
<pre><code>GET /api/v1/namespaces/{namespace}/pods/{name}/log
|
||
</code></pre><p>在这种情况下,”pods”是名字空间资源,而”log”是pods的子资源。为了在RBAC角色中表示出这一点,我们需要使用斜线来划分资源 与子资源。如果需要角色绑定主体读取pods以及pod log,您需要定义以下角色:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">kind:</span> Role
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> namespace:</span> default
|
||
<span class="hljs-attr"> name:</span> pod-and-pod-logs-reader
|
||
<span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"pods"</span>, <span class="hljs-string">"pods/log"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>]
|
||
</code></pre>
|
||
<p>通过<code>resourceNames</code>列表,角色可以针对不同种类的请求根据资源名引用资源实例。当指定了<code>resourceNames</code>列表时,不同动作 种类的请求的权限,如使用”get”、”delete”、”update”以及”patch”等动词的请求,将被限定到资源列表中所包含的资源实例上。 例如,如果需要限定一个角色绑定主体只能”get”或者”update”一个configmap时,您可以定义以下角色:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">kind:</span> Role
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> namespace:</span> default
|
||
<span class="hljs-attr"> name:</span> configmap-updater
|
||
<span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"configmap"</span>]
|
||
<span class="hljs-attr"> resourceNames:</span> [<span class="hljs-string">"my-configmap"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"update"</span>, <span class="hljs-string">"get"</span>]
|
||
</code></pre>
|
||
<p>值得注意的是,如果设置了<code>resourceNames</code>,则请求所使用的动词不能是list、watch、create或者deletecollection。 由于资源名不会出现在create、list、watch和deletecollection等API请求的URL中,所以这些请求动词不会被设置了<code>resourceNames</code> 的规则所允许,因为规则中的<code>resourceNames</code>部分不会匹配这些请求。</p>
|
||
<h4 id="一些角色定义的例子">一些角色定义的例子</h4>
|
||
<p>在以下示例中,我们仅截取展示了<code>rules</code>部分的定义。</p>
|
||
<p>允许读取core API Group中定义的资源”pods”:</p>
|
||
<pre><code class="lang-Yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"pods"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>, <span class="hljs-string">"watch"</span>]
|
||
</code></pre>
|
||
<p>允许读写在”extensions”和”apps” API Group中定义的”deployments”:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">"extensions"</span>, <span class="hljs-string">"apps"</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"deployments"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>, <span class="hljs-string">"watch"</span>, <span class="hljs-string">"create"</span>, <span class="hljs-string">"update"</span>, <span class="hljs-string">"patch"</span>, <span class="hljs-string">"delete"</span>]
|
||
</code></pre>
|
||
<p>允许读取”pods”以及读写”jobs”:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"pods"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>, <span class="hljs-string">"watch"</span>]
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">"batch"</span>, <span class="hljs-string">"extensions"</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"jobs"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>, <span class="hljs-string">"watch"</span>, <span class="hljs-string">"create"</span>, <span class="hljs-string">"update"</span>, <span class="hljs-string">"patch"</span>, <span class="hljs-string">"delete"</span>]
|
||
</code></pre>
|
||
<p>允许读取一个名为”my-config”的<code>ConfigMap</code>实例(需要将其通过<code>RoleBinding</code>绑定从而限制针对某一个名字空间中定义的一个<code>ConfigMap</code>实例的访问):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"configmaps"</span>]
|
||
<span class="hljs-attr"> resourceNames:</span> [<span class="hljs-string">"my-config"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>]
|
||
</code></pre>
|
||
<p>允许读取core API Group中的”nodes”资源(由于<code>Node</code>是集群级别资源,所以此<code>ClusterRole</code>定义需要与一个<code>ClusterRoleBinding</code>绑定才能有效):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">""</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"nodes"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"list"</span>, <span class="hljs-string">"watch"</span>]
|
||
</code></pre>
|
||
<p>允许对非资源endpoint “/healthz”及其所有子路径的”GET”和”POST”请求(此<code>ClusterRole</code>定义需要与一个<code>ClusterRoleBinding</code>绑定才能有效):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- nonResourceURLs:</span> [<span class="hljs-string">"/healthz"</span>, <span class="hljs-string">"/healthz/*"</span>] <span class="hljs-comment"># 在非资源URL中,'*'代表后缀通配符</span>
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"get"</span>, <span class="hljs-string">"post"</span>]
|
||
</code></pre>
|
||
<h3 id="对角色绑定主体(subject)的引用">对角色绑定主体(Subject)的引用</h3>
|
||
<p><code>RoleBinding</code>或者<code>ClusterRoleBinding</code>将角色绑定到<em>角色绑定主体</em>(Subject)。 角色绑定主体可以是用户组(Group)、用户(User)或者服务账户(Service Accounts)。</p>
|
||
<p>用户由字符串表示。可以是纯粹的用户名,例如”alice”、电子邮件风格的名字,如 “bob@example.com” 或者是用字符串表示的数字id。由Kubernetes管理员配置<a href="https://k8smeetup.github.io/docs/admin/authentication/" target="_blank">认证模块</a> 以产生所需格式的用户名。对于用户名,RBAC授权系统不要求任何特定的格式。然而,前缀<code>system:</code>是 为Kubernetes系统使用而保留的,所以管理员应该确保用户名不会意外地包含这个前缀。</p>
|
||
<p>Kubernetes中的用户组信息由授权模块提供。用户组与用户一样由字符串表示。Kubernetes对用户组 字符串没有格式要求,但前缀<code>system:</code>同样是被系统保留的。</p>
|
||
<p><a href="https://k8smeetup.github.io/docs/tasks/configure-pod-container/configure-service-account/" target="_blank">服务账户</a>拥有包含 <code>system:serviceaccount:</code>前缀的用户名,并属于拥有<code>system:serviceaccounts:</code>前缀的用户组。</p>
|
||
<h4 id="角色绑定的一些例子">角色绑定的一些例子</h4>
|
||
<p>以下示例中,仅截取展示了<code>RoleBinding</code>的<code>subjects</code>字段。</p>
|
||
<p>一个名为”alice@example.com”的用户:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> User
|
||
<span class="hljs-attr"> name:</span> <span class="hljs-string">"alice@example.com"</span>
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>一个名为”frontend-admins”的用户组:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> <span class="hljs-string">"frontend-admins"</span>
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>kube-system名字空间中的默认服务账户:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> ServiceAccount
|
||
<span class="hljs-attr"> name:</span> default
|
||
<span class="hljs-attr"> namespace:</span> kube-system
|
||
</code></pre>
|
||
<p>名为”qa”名字空间中的所有服务账户:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:serviceaccounts:qa
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>在集群中的所有服务账户:</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:serviceaccounts
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>所有认证过的用户(version 1.5+):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:authenticated
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>所有未认证的用户(version 1.5+):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:unauthenticated
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<p>所有用户(version 1.5+):</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:authenticated
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr">- kind:</span> Group
|
||
<span class="hljs-attr"> name:</span> system:unauthenticated
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<h2 id="默认角色与默认角色绑定">默认角色与默认角色绑定</h2>
|
||
<p>API Server会创建一组默认的<code>ClusterRole</code>和<code>ClusterRoleBinding</code>对象。 这些默认对象中有许多包含<code>system:</code>前缀,表明这些资源由Kubernetes基础组件”拥有”。 对这些资源的修改可能导致非功能性集群(non-functional cluster)。一个例子是<code>system:node</code> ClusterRole对象。 这个角色定义了kubelets的权限。如果这个角色被修改,可能会导致kubelets无法正常工作。</p>
|
||
<p>所有默认的ClusterRole和ClusterRoleBinding对象都会被标记为<code>kubernetes.io/bootstrapping=rbac-defaults</code>。</p>
|
||
<h3 id="自动更新">自动更新</h3>
|
||
<p>每次启动时,API Server都会更新默认ClusterRole所缺乏的各种权限,并更新默认ClusterRoleBinding所缺乏的各个角色绑定主体。 这种自动更新机制允许集群修复一些意外的修改。由于权限和角色绑定主体在新的Kubernetes释出版本中可能变化,这也能够保证角色和角色 绑定始终保持是最新的。</p>
|
||
<p>如果需要禁用自动更新,请将默认ClusterRole以及ClusterRoleBinding的<code>rbac.authorization.kubernetes.io/autoupdate</code> 设置成为<code>false</code>。 请注意,缺乏默认权限和角色绑定主体可能会导致非功能性集群问题。</p>
|
||
<p>自Kubernetes 1.6+起,当集群RBAC授权器(RBAC Authorizer)处于开启状态时,可以启用自动更新功能.</p>
|
||
<h3 id="发现类角色">发现类角色</h3>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>默认ClusterRole</th>
|
||
<th>默认ClusterRoleBinding</th>
|
||
<th>描述</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>system:basic-user</strong></td>
|
||
<td><strong>system:authenticated</strong> and <strong>system:unauthenticated</strong>groups</td>
|
||
<td>允许用户只读访问有关自己的基本信息。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:discovery</strong></td>
|
||
<td><strong>system:authenticated</strong> and <strong>system:unauthenticated</strong>groups</td>
|
||
<td>允许只读访问API discovery endpoints, 用于在API级别进行发现和协商。</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h3 id="面向用户的角色">面向用户的角色</h3>
|
||
<p>一些默认角色并不包含<code>system:</code>前缀,它们是面向用户的角色。 这些角色包含超级用户角色(<code>cluster-admin</code>),即旨在利用ClusterRoleBinding(<code>cluster-status</code>)在集群范围内授权的角色, 以及那些使用RoleBinding(<code>admin</code>、<code>edit</code>和<code>view</code>)在特定名字空间中授权的角色。</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>默认ClusterRole</th>
|
||
<th>默认ClusterRoleBinding</th>
|
||
<th>描述</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>cluster-admin</strong></td>
|
||
<td><strong>system:masters</strong> group</td>
|
||
<td>超级用户权限,允许对任何资源执行任何操作。 在<strong>ClusterRoleBinding</strong>中使用时,可以完全控制集群和所有名字空间中的所有资源。 在<strong>RoleBinding</strong>中使用时,可以完全控制RoleBinding所在名字空间中的所有资源,包括名字空间自己。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>admin</strong></td>
|
||
<td>None</td>
|
||
<td>管理员权限,利用<strong>RoleBinding</strong>在某一名字空间内部授予。 在<strong>RoleBinding</strong>中使用时,允许针对名字空间内大部分资源的读写访问, 包括在名字空间内创建角色与角色绑定的能力。 但不允许对资源配额(resource quota)或者名字空间本身的写访问。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>edit</strong></td>
|
||
<td>None</td>
|
||
<td>允许对某一个名字空间内大部分对象的读写访问,但不允许查看或者修改角色或者角色绑定。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>view</strong></td>
|
||
<td>None</td>
|
||
<td>允许对某一个名字空间内大部分对象的只读访问。 不允许查看角色或者角色绑定。 由于可扩散性等原因,不允许查看secret资源。</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h3 id="core-component-roles">Core Component Roles</h3>
|
||
<h3 id="核心组件角色">核心组件角色</h3>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>默认ClusterRole</th>
|
||
<th>默认ClusterRoleBinding</th>
|
||
<th>描述</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>system:kube-scheduler</strong></td>
|
||
<td><strong>system:kube-scheduler</strong> user</td>
|
||
<td>允许访问kube-scheduler组件所需要的资源。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:kube-controller-manager</strong></td>
|
||
<td><strong>system:kube-controller-manager</strong> user</td>
|
||
<td>允许访问kube-controller-manager组件所需要的资源。 单个控制循环所需要的权限请参阅<a href="https://k8smeetup.github.io/docs/admin/authorization/rbac/#controller-roles" target="_blank">控制器(controller)角色</a>.</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:node</strong></td>
|
||
<td><strong>system:nodes</strong> group (deprecated in 1.7)</td>
|
||
<td>允许对kubelet组件所需要的资源的访问,<strong>包括读取所有secret和对所有pod的写访问</strong>。 自Kubernetes 1.7开始, 相比较于这个角色,更推荐使用<a href="../docs/admin/authorization/node">Node authorizer</a> 以及<a href="../docs/admin/admission-controllers#NodeRestriction">NodeRestriction admission plugin</a>, 并允许根据调度运行在节点上的pod授予kubelets API访问的权限。 自Kubernetes 1.7开始,当启用<code>Node</code>授权模式时,对<code>system:nodes</code>用户组的绑定将不会被自动创建。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:node-proxier</strong></td>
|
||
<td><strong>system:kube-proxy</strong> user</td>
|
||
<td>允许对kube-proxy组件所需要资源的访问。</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h3 id="其它组件角色">其它组件角色</h3>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>默认ClusterRole</th>
|
||
<th>默认ClusterRoleBinding</th>
|
||
<th>描述</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>system:auth-delegator</strong></td>
|
||
<td>None</td>
|
||
<td>允许委托认证和授权检查。 通常由附加API Server用于统一认证和授权。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:heapster</strong></td>
|
||
<td>None</td>
|
||
<td><a href="https://github.com/kubernetes/heapster" target="_blank">Heapster</a>组件的角色。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:kube-aggregator</strong></td>
|
||
<td>None</td>
|
||
<td><a href="https://github.com/kubernetes/kube-aggregator" target="_blank">kube-aggregator</a>组件的角色。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:kube-dns</strong></td>
|
||
<td><strong>kube-dns</strong> service account in the <strong>kube-system</strong>namespace</td>
|
||
<td><a href="https://k8smeetup.github.io/docs/admin/dns/" target="_blank">kube-dns</a>组件的角色。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:node-bootstrapper</strong></td>
|
||
<td>None</td>
|
||
<td>允许对执行<a href="https://k8smeetup.github.io/docs/admin/kubelet-tls-bootstrapping/" target="_blank">Kubelet TLS引导(Kubelet TLS bootstrapping)</a>所需要资源的访问.</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:node-problem-detector</strong></td>
|
||
<td>None</td>
|
||
<td><a href="https://github.com/kubernetes/node-problem-detector" target="_blank">node-problem-detector</a>组件的角色。</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>system:persistent-volume-provisioner</strong></td>
|
||
<td>None</td>
|
||
<td>允许对大部分<a href="https://k8smeetup.github.io/docs/user-guide/persistent-volumes/#provisioner" target="_blank">动态存储卷创建组件(dynamic volume provisioner)</a>所需要资源的访问。</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h3 id="控制器(controller)角色">控制器(Controller)角色</h3>
|
||
<p><a href="https://k8smeetup.github.io/docs/admin/kube-controller-manager/" target="_blank">Kubernetes controller manager</a>负责运行核心控制循环。 当使用<code>--use-service-account-credentials</code>选项运行controller manager时,每个控制循环都将使用单独的服务账户启动。 而每个控制循环都存在对应的角色,前缀名为<code>system:controller:</code>。 如果不使用<code>--use-service-account-credentials</code>选项时,controller manager将会使用自己的凭证运行所有控制循环,而这些凭证必须被授予相关的角色。 这些角色包括:</p>
|
||
<ul>
|
||
<li>system:controller:attachdetach-controller</li>
|
||
<li>system:controller:certificate-controller</li>
|
||
<li>system:controller:cronjob-controller</li>
|
||
<li>system:controller:daemon-set-controller</li>
|
||
<li>system:controller:deployment-controller</li>
|
||
<li>system:controller:disruption-controller</li>
|
||
<li>system:controller:endpoint-controller</li>
|
||
<li>system:controller:generic-garbage-collector</li>
|
||
<li>system:controller:horizontal-pod-autoscaler</li>
|
||
<li>system:controller:job-controller</li>
|
||
<li>system:controller:namespace-controller</li>
|
||
<li>system:controller:node-controller</li>
|
||
<li>system:controller:persistent-volume-binder</li>
|
||
<li>system:controller:pod-garbage-collector</li>
|
||
<li>system:controller:replicaset-controller</li>
|
||
<li>system:controller:replication-controller</li>
|
||
<li>system:controller:resourcequota-controller</li>
|
||
<li>system:controller:route-controller</li>
|
||
<li>system:controller:service-account-controller</li>
|
||
<li>system:controller:service-controller</li>
|
||
<li>system:controller:statefulset-controller</li>
|
||
<li>system:controller:ttl-controller</li>
|
||
</ul>
|
||
<h2 id="初始化与预防权限升级">初始化与预防权限升级</h2>
|
||
<p>RBAC API会阻止用户通过编辑角色或者角色绑定来升级权限。 由于这一点是在API级别实现的,所以在RBAC授权器(RBAC authorizer)未启用的状态下依然可以正常工作。</p>
|
||
<p>用户只有在拥有了角色所包含的所有权限的条件下才能创建/更新一个角色,这些操作还必须在角色所处的相同范围内进行(对于<code>ClusterRole</code>来说是集群范围,对于<code>Role</code>来说是在与角色相同的名字空间或者集群范围)。 例如,如果用户”user-1”没有权限读取集群范围内的secret列表,那么他也不能创建包含这种权限的<code>ClusterRole</code>。为了能够让用户创建/更新角色,需要:</p>
|
||
<ol>
|
||
<li>授予用户一个角色以允许他们根据需要创建/更新<code>Role</code>或者<code>ClusterRole</code>对象。</li>
|
||
<li>授予用户一个角色包含他们在<code>Role</code>或者<code>ClusterRole</code>中所能够设置的所有权限。如果用户尝试创建或者修改<code>Role</code>或者<code>ClusterRole</code>以设置那些他们未被授权的权限时,这些API请求将被禁止。</li>
|
||
</ol>
|
||
<p>用户只有在拥有所引用的角色中包含的所有权限时才可以创建/更新角色绑定(这些操作也必须在角色绑定所处的相同范围内进行)<em>或者</em>用户被明确授权可以在所引用的角色上执行绑定操作。 例如,如果用户”user-1”没有权限读取集群范围内的secret列表,那么他将不能创建<code>ClusterRole</code>来引用那些授予了此项权限的角色。为了能够让用户创建/更新角色绑定,需要:</p>
|
||
<ol>
|
||
<li>授予用户一个角色以允许他们根据需要创建/更新<code>RoleBinding</code>或者<code>ClusterRoleBinding</code>对象。</li>
|
||
<li>授予用户绑定某一特定角色所需要的权限:<ul>
|
||
<li>隐式地,通过授予用户所有所引用的角色中所包含的权限</li>
|
||
<li>显式地,通过授予用户在特定Role(或者ClusterRole)对象上执行<code>bind</code>操作的权限</li>
|
||
</ul>
|
||
</li>
|
||
</ol>
|
||
<p>例如,下面例子中的ClusterRole和RoleBinding将允许用户”user-1”授予其它用户”user-1-namespace”名字空间内的<code>admin</code>、<code>edit</code>和<code>view</code>等角色和角色绑定。</p>
|
||
<pre><code class="lang-yaml"><span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">kind:</span> ClusterRole
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> name:</span> role-grantor
|
||
<span class="hljs-attr">rules:</span>
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">"rbac.authorization.k8s.io"</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"rolebindings"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"create"</span>]
|
||
<span class="hljs-attr">- apiGroups:</span> [<span class="hljs-string">"rbac.authorization.k8s.io"</span>]
|
||
<span class="hljs-attr"> resources:</span> [<span class="hljs-string">"clusterroles"</span>]
|
||
<span class="hljs-attr"> verbs:</span> [<span class="hljs-string">"bind"</span>]
|
||
<span class="hljs-attr"> resourceNames:</span> [<span class="hljs-string">"admin"</span>,<span class="hljs-string">"edit"</span>,<span class="hljs-string">"view"</span>]
|
||
<span class="hljs-meta">---</span>
|
||
<span class="hljs-attr">apiVersion:</span> rbac.authorization.k8s.io/v1beta1
|
||
<span class="hljs-attr">kind:</span> RoleBinding
|
||
<span class="hljs-attr">metadata:</span>
|
||
<span class="hljs-attr"> name:</span> role-grantor-binding
|
||
<span class="hljs-attr"> namespace:</span> user<span class="hljs-bullet">-1</span>-namespace
|
||
<span class="hljs-attr">roleRef:</span>
|
||
<span class="hljs-attr"> apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr"> kind:</span> ClusterRole
|
||
<span class="hljs-attr"> name:</span> role-grantor
|
||
<span class="hljs-attr">subjects:</span>
|
||
<span class="hljs-attr">- apiGroup:</span> rbac.authorization.k8s.io
|
||
<span class="hljs-attr"> kind:</span> User
|
||
<span class="hljs-attr"> name:</span> user<span class="hljs-bullet">-1</span>
|
||
</code></pre>
|
||
<p>当初始化第一个角色和角色绑定时,初始用户需要能够授予他们尚未拥有的权限。 初始化初始角色和角色绑定时需要:</p>
|
||
<ul>
|
||
<li>使用包含<code>system:masters</code>用户组的凭证,该用户组通过默认绑定绑定到<code>cluster-admin</code>超级用户角色。</li>
|
||
<li>如果您的API Server在运行时启用了非安全端口(<code>--insecure-port</code>),您也可以通过这个没有施行认证或者授权的端口发送角色或者角色绑定请求。</li>
|
||
</ul>
|
||
<h2 id="一些命令行工具">一些命令行工具</h2>
|
||
<p>有两个<code>kubectl</code>命令可以用于在名字空间内或者整个集群内授予角色。</p>
|
||
<h3 id="kubectl-create-rolebinding"><code>kubectl create rolebinding</code></h3>
|
||
<p>在某一特定名字空间内授予<code>Role</code>或者<code>ClusterRole</code>。示例如下:</p>
|
||
<ul>
|
||
<li><p>在名为”acme”的名字空间中将<code>admin</code> <code>ClusterRole</code>授予用户”bob”:</p>
|
||
<p><code>kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme</code></p>
|
||
</li>
|
||
<li><p>在名为”acme”的名字空间中将<code>view</code> <code>ClusterRole</code>授予服务账户”myapp”:</p>
|
||
<p><code>kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme</code></p>
|
||
</li>
|
||
</ul>
|
||
<h3 id="kubectl-create-clusterrolebinding"><code>kubectl create clusterrolebinding</code></h3>
|
||
<p>在整个集群中授予<code>ClusterRole</code>,包括所有名字空间。示例如下:</p>
|
||
<ul>
|
||
<li><p>在整个集群范围内将<code>cluster-admin</code> <code>ClusterRole</code>授予用户”root”:</p>
|
||
<p><code>kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root</code></p>
|
||
</li>
|
||
<li><p>在整个集群范围内将<code>system:node</code> <code>ClusterRole</code>授予用户”kubelet”:</p>
|
||
<p><code>kubectl create clusterrolebinding kubelet-node-binding --clusterrole=system:node --user=kubelet</code></p>
|
||
</li>
|
||
<li><p>在整个集群范围内将<code>view</code> <code>ClusterRole</code>授予名字空间”acme”内的服务账户”myapp”:</p>
|
||
<p><code>kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp</code></p>
|
||
</li>
|
||
</ul>
|
||
<p>请参阅CLI帮助文档以获得上述命令的详细用法</p>
|
||
<h2 id="服务账户(service-account)权限">服务账户(Service Account)权限</h2>
|
||
<p>默认的RBAC策略将授予控制平面组件(control-plane component)、节点(node)和控制器(controller)一组范围受限的权限, 但对于”kube-system”名字空间以外的服务账户,则<em>不授予任何权限</em>(超出授予所有认证用户的发现权限)。</p>
|
||
<p>这一点允许您根据需要向特定服务账号授予特定权限。 细粒度的角色绑定将提供更好的安全性,但需要更多精力管理。 更粗粒度的授权可能授予服务账号不需要的API访问权限(甚至导致潜在授权扩散),但更易于管理。</p>
|
||
<p>从最安全到最不安全可以排序以下方法:</p>
|
||
<ol>
|
||
<li><p>对某一特定应用程序的服务账户授予角色(最佳实践)</p>
|
||
<p>要求应用程序在其pod规范(pod spec)中指定<code>serviceAccountName</code>字段,并且要创建相应服务账户(例如通过API、应用程序清单或者命令<code>kubectl create serviceaccount</code>等)。</p>
|
||
<p>例如,在”my-namespace”名字空间中授予服务账户”my-sa”只读权限:</p>
|
||
<pre><code class="lang-bash">kubectl create rolebinding my-sa-view \
|
||
--clusterrole=view \
|
||
--serviceaccount=my-namespace:my-sa \
|
||
--namespace=my-namespace
|
||
</code></pre>
|
||
</li>
|
||
<li><p>在某一名字空间中授予”default”服务账号一个角色</p>
|
||
<p>如果一个应用程序没有在其pod规范中指定<code>serviceAccountName</code>,它将默认使用”default”服务账号。</p>
|
||
<p>注意:授予”default”服务账号的权限将可用于名字空间内任何没有指定<code>serviceAccountName</code>的pod。</p>
|
||
<p>下面的例子将在”my-namespace”名字空间内授予”default”服务账号只读权限:</p>
|
||
<pre><code class="lang-bash">kubectl create rolebinding default-view \
|
||
--clusterrole=view \
|
||
--serviceaccount=my-namespace:default \
|
||
--namespace=my-namespace
|
||
</code></pre>
|
||
<p>目前,许多[加载项(addon)](/ docs / concepts / cluster-administration / addons /)作为”kube-system”名字空间中的”default”服务帐户运行。 要允许这些加载项使用超级用户访问权限,请将cluster-admin权限授予”kube-system”名字空间中的”default”服务帐户。 注意:启用上述操作意味着”kube-system”名字空间将包含允许超级用户访问API的秘钥。</p>
|
||
<pre><code class="lang-bash">kubectl create clusterrolebinding add-on-cluster-admin \
|
||
--clusterrole=cluster-admin \
|
||
--serviceaccount=kube-system:default
|
||
</code></pre>
|
||
</li>
|
||
<li><p>为名字空间中所有的服务账号授予角色</p>
|
||
<p>如果您希望名字空间内的所有应用程序都拥有同一个角色,无论它们使用什么服务账户,您可以为该名字空间的服务账户用户组授予角色。</p>
|
||
<p>下面的例子将授予”my-namespace”名字空间中的所有服务账户只读权限:</p>
|
||
<pre><code class="lang-bash">kubectl create rolebinding serviceaccounts-view \
|
||
--clusterrole=view \
|
||
--group=system:serviceaccounts:my-namespace \
|
||
--namespace=my-namespace
|
||
</code></pre>
|
||
</li>
|
||
<li><p>对集群范围内的所有服务账户授予一个受限角色(不鼓励)</p>
|
||
<p>如果您不想管理每个命名空间的权限,则可以将集群范围角色授予所有服务帐户。</p>
|
||
<p>下面的例子将所有名字空间中的只读权限授予集群中的所有服务账户:</p>
|
||
<pre><code class="lang-bash">kubectl create clusterrolebinding serviceaccounts-view \
|
||
--clusterrole=view \
|
||
--group=system:serviceaccounts
|
||
</code></pre>
|
||
</li>
|
||
<li><p>授予超级用户访问权限给集群范围内的所有服务帐户(强烈不鼓励)</p>
|
||
<p>如果您根本不关心权限分块,您可以对所有服务账户授予超级用户访问权限。</p>
|
||
<p>警告:这种做法将允许任何具有读取权限的用户访问secret或者通过创建一个容器的方式来访问超级用户的凭据。</p>
|
||
<pre><code class="lang-bash">kubectl create clusterrolebinding serviceaccounts-cluster-admin \
|
||
--clusterrole=cluster-admin \
|
||
--group=system:serviceaccounts
|
||
</code></pre>
|
||
</li>
|
||
</ol>
|
||
<h2 id="从版本15升级">从版本1.5升级</h2>
|
||
<p>在Kubernetes 1.6之前,许多部署使用非常宽泛的ABAC策略,包括授予对所有服务帐户的完整API访问权限。</p>
|
||
<p>默认的RBAC策略将授予控制平面组件(control-plane components)、节点(nodes)和控制器(controller)一组范围受限的权限, 但对于”kube-system”名字空间以外的服务账户,则<em>不授予任何权限</em>(超出授予所有认证用户的发现权限)。</p>
|
||
<p>虽然安全性更高,但这可能会影响到期望自动接收API权限的现有工作负载。 以下是管理此转换的两种方法:</p>
|
||
<h3 id="并行授权器(authorizer)">并行授权器(authorizer)</h3>
|
||
<p>同时运行RBAC和ABAC授权器,并包括旧版ABAC策略:</p>
|
||
<pre><code>--authorization-mode=RBAC,ABAC --authorization-policy-file=mypolicy.jsonl
|
||
</code></pre><p>RBAC授权器将尝试首先授权请求。如果RBAC授权器拒绝API请求,则ABAC授权器将被运行。这意味着RBAC策略<em>或者</em>ABAC策略所允许的任何请求都是可通过的。</p>
|
||
<p>当以日志级别为2或更高(<code>--v = 2</code>)运行时,您可以在API Server日志中看到RBAC拒绝请求信息(以<code>RBAC DENY:</code>为前缀)。 您可以使用该信息来确定哪些角色需要授予哪些用户,用户组或服务帐户。 一旦<a href="https://k8smeetup.github.io/docs/admin/authorization/rbac/#service-account-permissions" target="_blank">授予服务帐户角色</a>,并且服务器日志中没有RBAC拒绝消息的工作负载正在运行,您可以删除ABAC授权器。</p>
|
||
<h3 id="宽泛的rbac权限">宽泛的RBAC权限</h3>
|
||
<p>您可以使用RBAC角色绑定来复制一个宽泛的策略。</p>
|
||
<p><strong>警告:以下政策略允许所有服务帐户作为集群管理员。 运行在容器中的任何应用程序都会自动接收服务帐户凭据,并且可以对API执行任何操作,包括查看secret和修改权限。 因此,并不推荐使用这种策略。</strong></p>
|
||
<pre><code class="lang-bash">kubectl create clusterrolebinding permissive-binding \
|
||
--clusterrole=cluster-admin \
|
||
--user=admin \
|
||
--user=kubelet \
|
||
--group=system:serviceaccounts
|
||
</code></pre>
|
||
<footer class="page-footer-ex"> <span class="page-footer-ex-copyright">for GitBook</span>           <span class="page-footer-ex-footer-update">update
|
||
2017-08-31 14:03:16
|
||
</span></footer>
|
||
|
||
</section>
|
||
|
||
</div>
|
||
<div class="search-results">
|
||
<div class="has-results">
|
||
|
||
<h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
|
||
<ul class="search-results-list"></ul>
|
||
|
||
</div>
|
||
<div class="no-results">
|
||
|
||
<h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
|
||
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<a href="kubectl-user-authentication-authorization.html" class="navigation navigation-prev " aria-label="Previous page: 3.3.4 kubectl的用户认证授权">
|
||
<i class="fa fa-angle-left"></i>
|
||
</a>
|
||
|
||
|
||
<a href="access-kubernetes-cluster.html" class="navigation navigation-next " aria-label="Next page: 3.4 访问 Kubernetes 集群">
|
||
<i class="fa fa-angle-right"></i>
|
||
</a>
|
||
|
||
|
||
|
||
</div>
|
||
|
||
<script>
|
||
var gitbook = gitbook || [];
|
||
gitbook.push(function() {
|
||
gitbook.page.hasChanged({"page":{"title":"3.3.5 RBAC——基于角色的访问控制","level":"1.3.3.5","depth":3,"next":{"title":"3.4 访问 Kubernetes 集群","level":"1.3.4","depth":2,"path":"guide/access-kubernetes-cluster.md","ref":"guide/access-kubernetes-cluster.md","articles":[{"title":"3.4.1 访问集群","level":"1.3.4.1","depth":3,"path":"guide/access-cluster.md","ref":"guide/access-cluster.md","articles":[]},{"title":"3.4.2 使用 kubeconfig 文件配置跨集群认证","level":"1.3.4.2","depth":3,"path":"guide/authenticate-across-clusters-kubeconfig.md","ref":"guide/authenticate-across-clusters-kubeconfig.md","articles":[]},{"title":"3.4.3 通过端口转发访问集群中的应用程序","level":"1.3.4.3","depth":3,"path":"guide/connecting-to-applications-port-forward.md","ref":"guide/connecting-to-applications-port-forward.md","articles":[]},{"title":"3.4.4 使用 service 访问群集中的应用程序","level":"1.3.4.4","depth":3,"path":"guide/service-access-application-cluster.md","ref":"guide/service-access-application-cluster.md","articles":[]}]},"previous":{"title":"3.3.4 kubectl的用户认证授权","level":"1.3.3.4","depth":3,"path":"guide/kubectl-user-authentication-authorization.md","ref":"guide/kubectl-user-authentication-authorization.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github","codesnippet","splitter","page-toc-button","image-captions","page-footer-ex","editlink","-lunr","-search","search-plus"],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"github":{"url":"https://github.com/rootsongjc/kubernetes-handbook"},"editlink":{"label":"编辑本页","multilingual":false,"base":"https://github.com/rootsongjc/kubernetes-handbook/blob/master/"},"page-footer-ex":{"copyright":"for GitBook","update_format":"YYYY-MM-DD HH:mm:ss","update_label":"update"},"splitter":{},"codesnippet":{},"fontsettings":{"theme":"white","family":"sans","size":2},"highlight":{},"page-toc-button":{},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false},"search-plus":{},"image-captions":{"variable_name":"_pictures"}},"page-footer-ex":{"copyright":"Jimmy Song","update_label":"最后更新:","update_format":"YYYY-MM-DD HH:mm:ss"},"theme":"default","author":"Jimmy Song","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{"_pictures":[{"backlink":"concepts/index.html#fig1.2.1","level":"1.2","list_caption":"Figure: Borg架构","alt":"Borg架构","nro":1,"url":"../images/borg.png","index":1,"caption_template":"Figure: _CAPTION_","label":"Borg架构","attributes":{},"skip":false,"key":"1.2.1"},{"backlink":"concepts/index.html#fig1.2.2","level":"1.2","list_caption":"Figure: Kubernetes架构","alt":"Kubernetes架构","nro":2,"url":"../images/architecture.png","index":2,"caption_template":"Figure: _CAPTION_","label":"Kubernetes架构","attributes":{},"skip":false,"key":"1.2.2"},{"backlink":"concepts/index.html#fig1.2.3","level":"1.2","list_caption":"Figure: kubernetes整体架构示意图","alt":"kubernetes整体架构示意图","nro":3,"url":"../images/kubernetes-whole-arch.png","index":3,"caption_template":"Figure: _CAPTION_","label":"kubernetes整体架构示意图","attributes":{},"skip":false,"key":"1.2.3"},{"backlink":"concepts/index.html#fig1.2.4","level":"1.2","list_caption":"Figure: Kubernetes master架构示意图","alt":"Kubernetes master架构示意图","nro":4,"url":"../images/kubernetes-master-arch.png","index":4,"caption_template":"Figure: _CAPTION_","label":"Kubernetes master架构示意图","attributes":{},"skip":false,"key":"1.2.4"},{"backlink":"concepts/index.html#fig1.2.5","level":"1.2","list_caption":"Figure: kubernetes node架构示意图","alt":"kubernetes node架构示意图","nro":5,"url":"../images/kubernetes-node-arch.png","index":5,"caption_template":"Figure: _CAPTION_","label":"kubernetes node架构示意图","attributes":{},"skip":false,"key":"1.2.5"},{"backlink":"concepts/index.html#fig1.2.6","level":"1.2","list_caption":"Figure: Kubernetes分层架构示意图","alt":"Kubernetes分层架构示意图","nro":6,"url":"../images/kubernetes-layers-arch.jpg","index":6,"caption_template":"Figure: _CAPTION_","label":"Kubernetes分层架构示意图","attributes":{},"skip":false,"key":"1.2.6"},{"backlink":"concepts/concepts.html#fig1.2.1.1","level":"1.2.1","list_caption":"Figure: 分层架构示意图","alt":"分层架构示意图","nro":7,"url":"../images/kubernetes-layers-arch.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"分层架构示意图","attributes":{},"skip":false,"key":"1.2.1.1"},{"backlink":"concepts/pod-overview.html#fig1.2.2.1.1","level":"1.2.2.1","list_caption":"Figure: pod diagram","alt":"pod diagram","nro":8,"url":"../images/pod-overview.png","index":1,"caption_template":"Figure: _CAPTION_","label":"pod diagram","attributes":{},"skip":false,"key":"1.2.2.1.1"},{"backlink":"concepts/pod.html#fig1.2.2.1.1.1","level":"1.2.2.1.1","list_caption":"Figure: Pod示意图","alt":"Pod示意图","nro":9,"url":"../images/pod-overview.png","index":1,"caption_template":"Figure: _CAPTION_","label":"Pod示意图","attributes":{},"skip":false,"key":"1.2.2.1.1.1"},{"backlink":"concepts/pod.html#fig1.2.2.1.1.2","level":"1.2.2.1.1","list_caption":"Figure: Pod Cheatsheet","alt":"Pod Cheatsheet","nro":10,"url":"../images/kubernetes-pod-cheatsheet.png","index":2,"caption_template":"Figure: _CAPTION_","label":"Pod Cheatsheet","attributes":{},"skip":false,"key":"1.2.2.1.1.2"},{"backlink":"concepts/service.html#fig1.2.2.4.1","level":"1.2.2.4","list_caption":"Figure: userspace代理模式下Service概览图","alt":"userspace代理模式下Service概览图","nro":11,"url":"https://d33wubrfki0l68.cloudfront.net/b8e1022c2dd815d8dd36b1bc4f0cc3ad870a924f/1dd12/images/docs/services-userspace-overview.svg","index":1,"caption_template":"Figure: _CAPTION_","label":"userspace代理模式下Service概览图","attributes":{},"skip":false,"key":"1.2.2.4.1"},{"backlink":"concepts/service.html#fig1.2.2.4.2","level":"1.2.2.4","list_caption":"Figure: iptables代理模式下Service概览图","alt":"iptables代理模式下Service概览图","nro":12,"url":"https://d33wubrfki0l68.cloudfront.net/837afa5715eb31fb9ca6516ec6863e810f437264/42951/images/docs/services-iptables-overview.svg","index":2,"caption_template":"Figure: _CAPTION_","label":"iptables代理模式下Service概览图","attributes":{},"skip":false,"key":"1.2.2.4.2"},{"backlink":"concepts/deployment.html#fig1.2.2.6.1","level":"1.2.2.6","list_caption":"Figure: kubernetes deployment cheatsheet","alt":"kubernetes deployment cheatsheet","nro":13,"url":"../images/deployment-cheatsheet.png","index":1,"caption_template":"Figure: _CAPTION_","label":"kubernetes deployment cheatsheet","attributes":{},"skip":false,"key":"1.2.2.6.1"},{"backlink":"concepts/horizontal-pod-autoscaling.html#fig1.2.2.16.1","level":"1.2.2.16","list_caption":"Figure: horizontal-pod-autoscaler","alt":"horizontal-pod-autoscaler","nro":14,"url":"../images/horizontal-pod-autoscaler.png","index":1,"caption_template":"Figure: _CAPTION_","label":"horizontal-pod-autoscaler","attributes":{},"skip":false,"key":"1.2.2.16.1"},{"backlink":"concepts/label.html#fig1.2.2.17.1","level":"1.2.2.17","list_caption":"Figure: label示意图","alt":"label示意图","nro":15,"url":"../images/labels.png","index":1,"caption_template":"Figure: _CAPTION_","label":"label示意图","attributes":{},"skip":false,"key":"1.2.2.17.1"},{"backlink":"guide/using-kubectl.html#fig1.3.2.1.1","level":"1.3.2.1","list_caption":"Figure: kubectl cheatsheet","alt":"kubectl cheatsheet","nro":16,"url":"../images/kubernetes-kubectl-cheatsheet.png","index":1,"caption_template":"Figure: _CAPTION_","label":"kubectl cheatsheet","attributes":{},"skip":false,"key":"1.3.2.1.1"},{"backlink":"guide/using-kubectl.html#fig1.3.2.1.2","level":"1.3.2.1","list_caption":"Figure: kube-shell页面","alt":"kube-shell页面","nro":17,"url":"../images/kube-shell.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"kube-shell页面","attributes":{},"skip":false,"key":"1.3.2.1.2"},{"backlink":"guide/deploy-applications-in-kubernetes.html#fig1.3.5.1.1","level":"1.3.5.1","list_caption":"Figure: API","alt":"API","nro":18,"url":"../images/k8s-app-monitor-test-api-doc.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"API","attributes":{},"skip":false,"key":"1.3.5.1.1"},{"backlink":"guide/deploy-applications-in-kubernetes.html#fig1.3.5.1.2","level":"1.3.5.1","list_caption":"Figure: wercker","alt":"wercker","nro":19,"url":"../images/k8s-app-monitor-agent-wercker.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"wercker","attributes":{},"skip":false,"key":"1.3.5.1.2"},{"backlink":"guide/deploy-applications-in-kubernetes.html#fig1.3.5.1.3","level":"1.3.5.1","list_caption":"Figure: 图表","alt":"图表","nro":20,"url":"../images/k8s-app-monitor-agent.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"图表","attributes":{},"skip":false,"key":"1.3.5.1.3"},{"backlink":"guide/migrating-hadoop-yarn-to-kubernetes.html#fig1.3.5.2.1","level":"1.3.5.2","list_caption":"Figure: spark on yarn with kubernetes","alt":"spark on yarn with kubernetes","nro":21,"url":"../images/spark-on-yarn-with-kubernetes.png","index":1,"caption_template":"Figure: _CAPTION_","label":"spark on yarn with kubernetes","attributes":{},"skip":false,"key":"1.3.5.2.1"},{"backlink":"guide/migrating-hadoop-yarn-to-kubernetes.html#fig1.3.5.2.2","level":"1.3.5.2","list_caption":"Figure: Terms","alt":"Terms","nro":22,"url":"../images/terms-in-kubernetes-app-deployment.png","index":2,"caption_template":"Figure: _CAPTION_","label":"Terms","attributes":{},"skip":false,"key":"1.3.5.2.2"},{"backlink":"guide/migrating-hadoop-yarn-to-kubernetes.html#fig1.3.5.2.3","level":"1.3.5.2","list_caption":"Figure: 分解步骤解析","alt":"分解步骤解析","nro":23,"url":"../images/migrating-hadoop-yarn-to-kubernetes.png","index":3,"caption_template":"Figure: _CAPTION_","label":"分解步骤解析","attributes":{},"skip":false,"key":"1.3.5.2.3"},{"backlink":"practice/node-installation.html#fig1.4.1.6.1","level":"1.4.1.6","list_caption":"Figure: welcome-nginx","alt":"welcome-nginx","nro":24,"url":"http://olz1di9xf.bkt.clouddn.com/kubernetes-installation-test-nginx.png","index":1,"caption_template":"Figure: _CAPTION_","label":"welcome-nginx","attributes":{},"skip":false,"key":"1.4.1.6.1"},{"backlink":"practice/dashboard-addon-installation.html#fig1.4.1.8.1","level":"1.4.1.8","list_caption":"Figure: kubernetes-dashboard","alt":"kubernetes-dashboard","nro":25,"url":"http://olz1di9xf.bkt.clouddn.com/kubernetes-dashboard-raw.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"kubernetes-dashboard","attributes":{},"skip":false,"key":"1.4.1.8.1"},{"backlink":"practice/heapster-addon-installation.html#fig1.4.1.9.1","level":"1.4.1.9","list_caption":"Figure: dashboard-heapster","alt":"dashboard-heapster","nro":26,"url":"../images/kubernetes-dashboard-with-heapster.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"dashboard-heapster","attributes":{},"skip":false,"key":"1.4.1.9.1"},{"backlink":"practice/heapster-addon-installation.html#fig1.4.1.9.2","level":"1.4.1.9","list_caption":"Figure: grafana","alt":"grafana","nro":27,"url":"../images/kubernetes-heapster-grafana.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"grafana","attributes":{},"skip":false,"key":"1.4.1.9.2"},{"backlink":"practice/heapster-addon-installation.html#fig1.4.1.9.3","level":"1.4.1.9","list_caption":"Figure: kubernetes-influxdb-heapster","alt":"kubernetes-influxdb-heapster","nro":28,"url":"../images/kubernetes-influxdb-heapster.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"kubernetes-influxdb-heapster","attributes":{},"skip":false,"key":"1.4.1.9.3"},{"backlink":"practice/efk-addon-installation.html#fig1.4.1.10.1","level":"1.4.1.10","list_caption":"Figure: es-setting","alt":"es-setting","nro":29,"url":"../images/es-setting.png","index":1,"caption_template":"Figure: _CAPTION_","label":"es-setting","attributes":{},"skip":false,"key":"1.4.1.10.1"},{"backlink":"practice/efk-addon-installation.html#fig1.4.1.10.2","level":"1.4.1.10","list_caption":"Figure: es-home","alt":"es-home","nro":30,"url":"../images/kubernetes-efk-kibana.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"es-home","attributes":{},"skip":false,"key":"1.4.1.10.2"},{"backlink":"practice/traefik-ingress-installation.html#fig1.4.2.1.1","level":"1.4.2.1","list_caption":"Figure: kubernetes-dashboard","alt":"kubernetes-dashboard","nro":31,"url":"../images/traefik-dashboard.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"kubernetes-dashboard","attributes":{},"skip":false,"key":"1.4.2.1.1"},{"backlink":"practice/traefik-ingress-installation.html#fig1.4.2.1.2","level":"1.4.2.1","list_caption":"Figure: traefik-nginx","alt":"traefik-nginx","nro":32,"url":"../images/traefik-nginx.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"traefik-nginx","attributes":{},"skip":false,"key":"1.4.2.1.2"},{"backlink":"practice/traefik-ingress-installation.html#fig1.4.2.1.3","level":"1.4.2.1","list_caption":"Figure: traefik-guestbook","alt":"traefik-guestbook","nro":33,"url":"../images/traefik-guestbook.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"traefik-guestbook","attributes":{},"skip":false,"key":"1.4.2.1.3"},{"backlink":"practice/distributed-load-test.html#fig1.4.2.2.1","level":"1.4.2.2","list_caption":"Figure: traefik-dashboard-locust","alt":"traefik-dashboard-locust","nro":34,"url":"../images/traefik-dashboard-locust.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"traefik-dashboard-locust","attributes":{},"skip":false,"key":"1.4.2.2.1"},{"backlink":"practice/distributed-load-test.html#fig1.4.2.2.2","level":"1.4.2.2","list_caption":"Figure: locust-start-swarming","alt":"locust-start-swarming","nro":35,"url":"../images/locust-start-swarming.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"locust-start-swarming","attributes":{},"skip":false,"key":"1.4.2.2.2"},{"backlink":"practice/distributed-load-test.html#fig1.4.2.2.3","level":"1.4.2.2","list_caption":"Figure: sample-webapp-rc","alt":"sample-webapp-rc","nro":36,"url":"../images/sample-webapp-rc.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"sample-webapp-rc","attributes":{},"skip":false,"key":"1.4.2.2.3"},{"backlink":"practice/distributed-load-test.html#fig1.4.2.2.4","level":"1.4.2.2","list_caption":"Figure: locust-dashboard","alt":"locust-dashboard","nro":37,"url":"../images/locust-dashboard.jpg","index":4,"caption_template":"Figure: _CAPTION_","label":"locust-dashboard","attributes":{},"skip":false,"key":"1.4.2.2.4"},{"backlink":"practice/network-and-cluster-perfermance-test.html#fig1.4.2.3.1","level":"1.4.2.3","list_caption":"Figure: kubernetes-dashboard","alt":"kubernetes-dashboard","nro":38,"url":"http://olz1di9xf.bkt.clouddn.com/kubenetes-e2e-test.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"kubernetes-dashboard","attributes":{},"skip":false,"key":"1.4.2.3.1"},{"backlink":"practice/network-and-cluster-perfermance-test.html#fig1.4.2.3.2","level":"1.4.2.3","list_caption":"Figure: locust-test","alt":"locust-test","nro":39,"url":"http://olz1di9xf.bkt.clouddn.com/kubernetes-locust-test.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"locust-test","attributes":{},"skip":false,"key":"1.4.2.3.2"},{"backlink":"practice/edge-node-configuration.html#fig1.4.2.4.1","level":"1.4.2.4","list_caption":"Figure: 边缘节点架构","alt":"边缘节点架构","nro":40,"url":"../images/kubernetes-edge-node-architecture.png","index":1,"caption_template":"Figure: _CAPTION_","label":"边缘节点架构","attributes":{},"skip":false,"key":"1.4.2.4.1"},{"backlink":"practice/app-log-collection.html#fig1.4.3.2.1","level":"1.4.3.2","list_caption":"Figure: logstash日志收集架构图","alt":"logstash日志收集架构图","nro":41,"url":"../images/filebeat-log-collector.png","index":1,"caption_template":"Figure: _CAPTION_","label":"logstash日志收集架构图","attributes":{},"skip":false,"key":"1.4.3.2.1"},{"backlink":"practice/app-log-collection.html#fig1.4.3.2.2","level":"1.4.3.2","list_caption":"Figure: Kibana页面","alt":"Kibana页面","nro":42,"url":"../images/filebeat-docker-test.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"Kibana页面","attributes":{},"skip":false,"key":"1.4.3.2.2"},{"backlink":"practice/app-log-collection.html#fig1.4.3.2.3","level":"1.4.3.2","list_caption":"Figure: filebeat收集的日志详细信息","alt":"filebeat收集的日志详细信息","nro":43,"url":"../images/kubernetes-filebeat-detail.png","index":3,"caption_template":"Figure: _CAPTION_","label":"filebeat收集的日志详细信息","attributes":{},"skip":false,"key":"1.4.3.2.3"},{"backlink":"practice/monitor.html#fig1.4.3.4.1","level":"1.4.3.4","list_caption":"Figure: Kubernetes集群中的监控","alt":"Kubernetes集群中的监控","nro":44,"url":"../images/monitoring-in-kubernetes.png","index":1,"caption_template":"Figure: _CAPTION_","label":"Kubernetes集群中的监控","attributes":{},"skip":false,"key":"1.4.3.4.1"},{"backlink":"practice/monitor.html#fig1.4.3.4.2","level":"1.4.3.4","list_caption":"Figure: kubernetes的容器命名规则示意图","alt":"kubernetes的容器命名规则示意图","nro":45,"url":"../images/kubernetes-container-naming-rule.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"kubernetes的容器命名规则示意图","attributes":{},"skip":false,"key":"1.4.3.4.2"},{"backlink":"practice/monitor.html#fig1.4.3.4.3","level":"1.4.3.4","list_caption":"Figure: Heapster架构图(改进版)","alt":"Heapster架构图(改进版)","nro":46,"url":"../images/kubernetes-heapster-monitoring.png","index":3,"caption_template":"Figure: _CAPTION_","label":"Heapster架构图(改进版)","attributes":{},"skip":false,"key":"1.4.3.4.3"},{"backlink":"practice/monitor.html#fig1.4.3.4.4","level":"1.4.3.4","list_caption":"Figure: 应用监控架构图","alt":"应用监控架构图","nro":47,"url":"../images/kubernetes-app-monitoring.png","index":4,"caption_template":"Figure: _CAPTION_","label":"应用监控架构图","attributes":{},"skip":false,"key":"1.4.3.4.4"},{"backlink":"practice/monitor.html#fig1.4.3.4.5","level":"1.4.3.4","list_caption":"Figure: 应用拓扑图","alt":"应用拓扑图","nro":48,"url":"../images/weave-scope-service-topology.jpg","index":5,"caption_template":"Figure: _CAPTION_","label":"应用拓扑图","attributes":{},"skip":false,"key":"1.4.3.4.5"},{"backlink":"practice/jenkins-ci-cd.html#fig1.4.3.5.1","level":"1.4.3.5","list_caption":"Figure: 基于Jenkins的持续集成与发布","alt":"基于Jenkins的持续集成与发布","nro":49,"url":"../images/kubernetes-jenkins-ci-cd.png","index":1,"caption_template":"Figure: _CAPTION_","label":"基于Jenkins的持续集成与发布","attributes":{},"skip":false,"key":"1.4.3.5.1"},{"backlink":"practice/data-persistence-problem.html#fig1.4.3.6.1","level":"1.4.3.6","list_caption":"Figure: 日志持久化收集解决方案示意图","alt":"日志持久化收集解决方案示意图","nro":50,"url":"../images/log-persistence-logstash.png","index":1,"caption_template":"Figure: _CAPTION_","label":"日志持久化收集解决方案示意图","attributes":{},"skip":false,"key":"1.4.3.6.1"},{"backlink":"practice/storage-for-containers-using-glusterfs-with-openshift.html#fig1.4.4.1.2.1","level":"1.4.4.1.2","list_caption":"Figure: Screen Shot 2017-03-23 at 21.50.34","alt":"Screen Shot 2017-03-23 at 21.50.34","nro":51,"url":"https://keithtenzer.files.wordpress.com/2017/03/screen-shot-2017-03-23-at-21-50-34.png?w=440","index":1,"caption_template":"Figure: _CAPTION_","label":"Screen Shot 2017-03-23 at 21.50.34","attributes":{},"skip":false,"key":"1.4.4.1.2.1"},{"backlink":"practice/storage-for-containers-using-glusterfs-with-openshift.html#fig1.4.4.1.2.2","level":"1.4.4.1.2","list_caption":"Figure: Screen Shot 2017-03-24 at 11.09.34.png","alt":"Screen Shot 2017-03-24 at 11.09.34.png","nro":52,"url":"https://keithtenzer.files.wordpress.com/2017/03/screen-shot-2017-03-24-at-11-09-341.png?w=440","index":2,"caption_template":"Figure: _CAPTION_","label":"Screen Shot 2017-03-24 at 11.09.34.png","attributes":{},"skip":false,"key":"1.4.4.1.2.2"},{"backlink":"usecases/istio.html#fig1.5.1.1.1","level":"1.5.1.1","list_caption":"Figure: Istio架构图","alt":"Istio架构图","nro":53,"url":"../images/istio-arch.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"Istio架构图","attributes":{},"skip":false,"key":"1.5.1.1.1"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.1","level":"1.5.1.1.1","list_caption":"Figure: BookInfo Sample应用架构图","alt":"BookInfo Sample应用架构图","nro":54,"url":"../images/bookinfo-sample-arch.png","index":1,"caption_template":"Figure: _CAPTION_","label":"BookInfo Sample应用架构图","attributes":{},"skip":false,"key":"1.5.1.1.1.1"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.2","level":"1.5.1.1.1","list_caption":"Figure: BookInfo Sample页面","alt":"BookInfo Sample页面","nro":55,"url":"../images/bookinfo-sample.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"BookInfo Sample页面","attributes":{},"skip":false,"key":"1.5.1.1.1.2"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.3","level":"1.5.1.1.1","list_caption":"Figure: Istio Grafana界面","alt":"Istio Grafana界面","nro":56,"url":"../images/istio-grafana.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"Istio Grafana界面","attributes":{},"skip":false,"key":"1.5.1.1.1.3"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.4","level":"1.5.1.1.1","list_caption":"Figure: Prometheus页面","alt":"Prometheus页面","nro":57,"url":"../images/istio-prometheus.jpg","index":4,"caption_template":"Figure: _CAPTION_","label":"Prometheus页面","attributes":{},"skip":false,"key":"1.5.1.1.1.4"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.5","level":"1.5.1.1.1","list_caption":"Figure: Zipkin页面","alt":"Zipkin页面","nro":58,"url":"../images/istio-zipkin.jpg","index":5,"caption_template":"Figure: _CAPTION_","label":"Zipkin页面","attributes":{},"skip":false,"key":"1.5.1.1.1.5"},{"backlink":"usecases/istio-installation.html#fig1.5.1.1.1.6","level":"1.5.1.1.1","list_caption":"Figure: ServiceGraph页面","alt":"ServiceGraph页面","nro":59,"url":"../images/istio-servicegraph.jpg","index":6,"caption_template":"Figure: _CAPTION_","label":"ServiceGraph页面","attributes":{},"skip":false,"key":"1.5.1.1.1.6"},{"backlink":"usecases/linkerd.html#fig1.5.1.2.1","level":"1.5.1.2","list_caption":"Figure: source https://linkerd.io","alt":"source https://linkerd.io","nro":60,"url":"https://linkerd.io/images/diagram-individual-instance.png","index":1,"caption_template":"Figure: _CAPTION_","label":"source https://linkerd.io","attributes":{},"skip":false,"key":"1.5.1.2.1"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.1","level":"1.5.1.2.1","list_caption":"Figure: Jenkins pipeline","alt":"Jenkins pipeline","nro":61,"url":"../images/linkerd-jenkins-pipeline.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"Jenkins pipeline","attributes":{},"skip":false,"key":"1.5.1.2.1.1"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.2","level":"1.5.1.2.1","list_caption":"Figure: Jenkins config","alt":"Jenkins config","nro":62,"url":"../images/linkerd-jenkins.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"Jenkins config","attributes":{},"skip":false,"key":"1.5.1.2.1.2"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.3","level":"1.5.1.2.1","list_caption":"Figure: namerd","alt":"namerd","nro":63,"url":"../images/namerd-internal.jpg","index":3,"caption_template":"Figure: _CAPTION_","label":"namerd","attributes":{},"skip":false,"key":"1.5.1.2.1.3"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.4","level":"1.5.1.2.1","list_caption":"Figure: linkerd监控","alt":"linkerd监控","nro":64,"url":"../images/linkerd-helloworld-outgoing.jpg","index":4,"caption_template":"Figure: _CAPTION_","label":"linkerd监控","attributes":{},"skip":false,"key":"1.5.1.2.1.4"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.5","level":"1.5.1.2.1","list_caption":"Figure: linkerd监控","alt":"linkerd监控","nro":65,"url":"../images/linkerd-helloworld-incoming.jpg","index":5,"caption_template":"Figure: _CAPTION_","label":"linkerd监控","attributes":{},"skip":false,"key":"1.5.1.2.1.5"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.6","level":"1.5.1.2.1","list_caption":"Figure: linkerd性能监控","alt":"linkerd性能监控","nro":66,"url":"../images/linkerd-grafana.png","index":6,"caption_template":"Figure: _CAPTION_","label":"linkerd性能监控","attributes":{},"skip":false,"key":"1.5.1.2.1.6"},{"backlink":"usecases/linkerd-user-guide.html#fig1.5.1.2.1.7","level":"1.5.1.2.1","list_caption":"Figure: Linkerd ingress controller","alt":"Linkerd ingress controller","nro":67,"url":"../images/linkerd-ingress-controller.jpg","index":7,"caption_template":"Figure: _CAPTION_","label":"Linkerd ingress controller","attributes":{},"skip":false,"key":"1.5.1.2.1.7"},{"backlink":"usecases/service-discovery-in-microservices.html#fig1.5.1.3.1","level":"1.5.1.3","list_caption":"Figure: 微服务中的服务发现","alt":"微服务中的服务发现","nro":68,"url":"../images/service-discovery-in-microservices.png","index":1,"caption_template":"Figure: _CAPTION_","label":"微服务中的服务发现","attributes":{},"skip":false,"key":"1.5.1.3.1"},{"backlink":"usecases/spark-standalone-on-kubernetes.html#fig1.5.2.1.1","level":"1.5.2.1","list_caption":"Figure: spark master ui","alt":"spark master ui","nro":69,"url":"../images/spark-ui.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"spark master ui","attributes":{},"skip":false,"key":"1.5.2.1.1"},{"backlink":"usecases/spark-standalone-on-kubernetes.html#fig1.5.2.1.2","level":"1.5.2.1","list_caption":"Figure: zeppelin ui","alt":"zeppelin ui","nro":70,"url":"../images/zeppelin-ui.jpg","index":2,"caption_template":"Figure: _CAPTION_","label":"zeppelin ui","attributes":{},"skip":false,"key":"1.5.2.1.2"},{"backlink":"develop/client-go-sample.html#fig1.6.3.1","level":"1.6.3","list_caption":"Figure: 使用kubernetes dashboard进行故障排查","alt":"使用kubernetes dashboard进行故障排查","nro":71,"url":"../images/kubernetes-client-go-sample-update.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"使用kubernetes dashboard进行故障排查","attributes":{},"skip":false,"key":"1.6.3.1"},{"backlink":"appendix/issues.html#fig1.7.2.1","level":"1.7.2","list_caption":"Figure: pvc-storage-limit","alt":"pvc-storage-limit","nro":72,"url":"../images/pvc-storage-limit.jpg","index":1,"caption_template":"Figure: _CAPTION_","label":"pvc-storage-limit","attributes":{},"skip":false,"key":"1.7.2.1"}]},"title":"Kubernetes Handbook","language":"zh-cn","gitbook":"*","description":"Let's play fun with kubernetes!","image-captions":{"caption":"图片 - _CAPTION_"}},"file":{"path":"guide/rbac.md","mtime":"2017-08-31T06:03:16.000Z","type":"markdown"},"gitbook":{"version":"3.2.2","time":"2017-09-06T14:16:56.564Z"},"basePath":"..","book":{"language":""}});
|
||
});
|
||
</script>
|
||
</div>
|
||
|
||
|
||
<script src="../gitbook/gitbook.js"></script>
|
||
<script src="../gitbook/theme.js"></script>
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-github/plugin.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-splitter/splitter.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-page-toc-button/plugin.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-editlink/plugin.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-search-plus/jquery.mark.min.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-search-plus/search.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-sharing/buttons.js"></script>
|
||
|
||
|
||
|
||
<script src="../gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
|
||
|
||
|
||
|
||
</body>
|
||
</html>
|
||
|