我有一个集群,用户(开发人员)在这3个用户界面(K8s仪表板,Kibana和Grafana)的帮助下访问
仅供参考,Kibana和Grafana是群集的插件 .
我希望除ADMIN之外的每个用户都应具有对Kibana Logging UI的只读访问权限,即查看日志 . 所以,我想创建一个RBAC角色 . 该角色不应更改其他UI中的用户权限 . 它应该只反映在Kibana UI中 .
用户“xyz”绑定到以下群集角色和角色 -
要查看K8s仪表板: -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: user-role-dashboard
rules:
- apiGroups: ["*"]
resources:
- services
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources:
- services/proxy
verbs: ["get", "list", "watch", "create"]
要查看K8s仪表板中的命名空间列表: -
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ns-view-clusterrole
rules:
- apiGroups:
- "*"
resources:
- namespaces
verbs:
- get
- list
- watch
用户设置为在命名空间中具有管理员权限(K8s仪表板): -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: ns
name: ns-admin-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
任何人都可以帮助我,“如何创建一个给Kibana Dashboard提供只读权限的角色”,关于这个?
下面是我所面临的错误,因为用户“xyz”无法查看Kibana UI:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"kibana-logging\" is forbidden: User \"xyz\" cannot proxy services in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kibana-logging",
"kind": "services"
},
"code": 403
}
更新
在我的群集上部署了Pod
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
elasticsearch-logging-0 1/1 Running 6 239d
elasticsearch-logging-1 1/1 Running 2 239d
fluentd-es-v2.0.2-5jmss 1/1 Running 7 232d
fluentd-es-v2.0.2-tcgb6 1/1 Running 5 239d
heapster-588bcd669c-qz2f8 1/1 Running 3 239d
kibana-logging-5fd7fcf8c-72grf 1/1 Running 3 239d
kube-dns-9c5fccf5c-b98px 3/3 Running 9 239d
kubernetes-dashboard-7f9755578c-kb9n6 1/1 Running 3 239d
monitoring-grafana-794779fc5b-rr2lx 1/1 Running 3 239d
monitoring-influxdb-67c5b7dbd6-xrplj 1/1 Running 3 239d
谢谢