Permission Manager
Permission Manager is a project that provides a Web UI for Kubernetes RBAC and user management, providing a friendly visual interface for Kubernetes Permission management.
The installation
From github.com/sighupio/pe… Download the YAML file as follows
[root@qd01-stop-k8s-master001 kubernetes]# ll
total 4
-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml
drwxr-xr-x 2 root root 37 Jan 28 11:14 seeds
Copy the code
Create a namespace
[root@qd01-stop-k8s-master001 kubernetes]# kubectl create namespace permission-manager
namespace/permission-manager created
Copy the code
Create a secret and update it accordingly
[rancher@qd01-stop-k8snode011 permission-manager]$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: permission-manager
namespace: permission-manager
type: Opaque
stringData:
PORT: "4000" # port where server is exposed
CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file
CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file
BASIC_AUTH_PASSWORD: "k8sAdmin" # password used by basic auth (username is `admin`)
Copy the code
[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f secret.yaml
secret/permission-manager created
Copy the code
The deployment of
[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f crd.yml Warning: Apiextensions. K8s. IO/v1beta1 CustomResourceDefinition is deprecated in v1.16 +, unavailable in v1.22 +; use apiextensions.k8s.io/v1 CustomResourceDefinition customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created [root@qd01-stop-k8s-master001 seeds]# kubectl apply -f seed.yml clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created [root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f deploy.yml service/permission-manager created deployment.apps/permission-manager created serviceaccount/permission-manager created clusterrole.rbac.authorization.k8s.io/permission-manager created Warning: . Rbac authorization. K8s. IO/v1beta1 ClusterRoleBinding is deprecated in v1.17 +, unavailable in v1.22 +; use rbac.authorization.k8s.io/v1 ClusterRoleBinding clusterrolebinding.rbac.authorization.k8s.io/permission-manager createdCopy the code
Above permission – deployment manager was set up, Warning information can be ignored or to modify the yaml file API version for rbac. Authorization. K8s. IO/v1
Use the Ingress exposure service
Create ingress. Yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: permission-manager-ingress
namespace: permission-manager
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: permission.ieasou.cn
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: permission-manager
port:
number: 4000
Copy the code
[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f ingress.yaml [root@qd01-stop-k8s-master001 kubernetes]# kubectl get ing -n permission-manager Warning: Extensions /v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress NAME CLASS HOSTS ADDRESS PORTS AGE permission-manager-ingress <none> Permission. Ieasou. Cn 10.26.29.202, 4 m8s 10.26.29.203 80Copy the code
Add your own DNS resolution, then the browser accesses Permission-ieasou.cn and logs in with the username and password (set in Secret)
The login
Currently there are no users, we can create a normal user test under
Create a user
Click Create New UserFill in the relevant informationThen click Save to view the generated Config file under user information
test
Save the config file and use it to access the cluster. I’ll copy the config file locally, rename it scofield, and use Kubectl to test it
[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po No resources found in default namespace. [root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po -n argo Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "" in the namespace "argo"Copy the code
As can be seen from the above output, the two namespaces I queried are default and Argo respectively, but only the default namespace has the permission, while the Argo namespace does not have the permission to operate. This is consistent with the permissions we granted when we created the user. For more information, check out the official website