我正在使用 Kubernetes 1.4.5 并从头开始安装 HA 集群(系统中的每个组件而不是容器)
为了增强安全性,每个组件都有一个证书来连接 apiserver(s)。为了定义权限,我使用ABAC插件。我不关心读取权限,但想确保只为负责“某事”的模块启用写入权限。
我没有找到任何关于哪个组件至少需要哪些权限的文档。我开始配置,查找错误并重新开始。
我从 Kelsey Hightower 的 tls 教程开始,然后“失败了”。
这是我到目前为止所拥有的
{"user":"system:logging"}
{"user":"system:monitoring"}
{"user":"system:serviceaccount:default:default"}
{"user":"system:serviceaccount:kube-system:default"}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"nagios", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "nodes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "bindings"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "*","nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "deployments"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "serviceaccounts"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "secrets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicasets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicationcontrollers"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumeclaims"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "statefulsets"}}
有谁知道我是否遗漏了什么?
[更新] 我发现只定义规范是不行的,因为控制器管理器遇到了麻烦。所以我用完整的行更新了配置。