我正在使用Kubernetes 1.4.5并从头开始安装HA集群(系统中的每个组件而不是容器)
为了增强安全性,每个组件都有一个证书可以与apiserver连接。要定义权限,我使用ABAC插件。我不打扰读取权限,但希望确保只为负责"某些"。
的模块启用写权限。我没有找到任何关于哪个组件至少需要哪些权限的文档。我开始配置,寻找错误并重新开始。
我从the tls tutorial from Kelsey Hightower开始,"未能前进"。
这是我到目前为止所拥有的
{"user":"system:logging"}
{"user":"system:monitoring"}
{"user":"system:serviceaccount:default:default"}
{"user":"system:serviceaccount:kube-system:default"}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"nagios", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "nodes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"proxy", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "bindings"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "*","nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "events"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "deployments"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "serviceaccounts"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "secrets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicasets"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "pods"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "replicationcontrollers"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumes"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "persistentvolumeclaims"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"controller_manager", "apiGroup": "*", "namespace": "*", "resource": "statefulsets"}}
有人知道我错过了什么吗?
[UPDATE] 我发现只有定义规范才行,因为控制器管理器遇到了麻烦。所以我用完整的行更新了配置。