给k8s dashboard创建只读账户

一.创建服务账户和RBAC权限调整

cat readonly.yaml
# 创建一个名为read-only-user的服务账户
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: read-only-user
  namespace: kube-system
 
# 创建一个角色绑定，将上面创建的服务账户与一个只读角色关联
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-only-user-binding
subjects:
- kind: ServiceAccount
  name: read-only-user
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: read-only-role
 
# 定义只读角色
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: read-only-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  - pods/exec
  - services
  - configmaps
  - persistentvolumes
  - persistentvolumeclaims
  - replicationcontrollers
  - namespaces
  - secrets
  - events
  - serviceaccounts
  - nodes
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - statefulsets
  - daemonsets
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - batch
  - batch/v1
  resources:
  - jobs
  - cronjobs
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  - clusterroles
  - clusterrolebindings
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingressclasses
  - networkpolicies
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - get
  - watch

二.创建sa的token

kubectl -n kube-system create token read-only-user

三.完活

拿token登录dashboard