一.创建服务账户和RBAC权限调整
cat readonly.yaml
# 创建一个名为read-only-user的服务账户
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: read-only-user
namespace: kube-system
# 创建一个角色绑定,将上面创建的服务账户与一个只读角色关联
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-only-user-binding
subjects:
- kind: ServiceAccount
name: read-only-user
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-only-role
# 定义只读角色
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- services
- configmaps
- persistentvolumes
- persistentvolumeclaims
- replicationcontrollers
- namespaces
- secrets
- events
- serviceaccounts
- nodes
verbs:
- list
- get
- watch
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs:
- list
- get
- watch
- apiGroups:
- batch
- batch/v1
resources:
- jobs
- cronjobs
verbs:
- list
- get
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
- clusterroles
- clusterrolebindings
verbs:
- list
- get
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- list
- get
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- get
- watch
二.创建sa的token
kubectl -n kube-system create token read-only-user
三.完活
拿token登录dashboard