在启用了RBAC的kubernetes中设置nginx

时间:2017-04-26 10:54:56

标签: nginx kubernetes rbac

从Kubernetes v1.6开始,默认情况下启用RBAC授权功能。这意味着我对v1.5的部署/配置不再有效。

我需要授予访问权限的关键组件之一是nginx,否则可以在日志中看到如下消息

F0425 15:08:07.246596       1 main.go:116] no service with name kube-system/default-http-backend found: the server does not allow access to the requested resource (get services default-http-backend)

1 个答案:

答案 0 :(得分:0)

更新:kubernetes / nginx的文档已更新here,有关RBAC的详细信息,here

OLD:

为了支持RBAC,我们需要两件事:

  • 定义servciceAccount / ClusterRole / ClusterRoleBindings
  • 为nginx部署设置serviceAccount

以下是我用来设置它的文件:

<强> nginx的-roles.yml 

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: nginx-role
rules:
- apiGroups: [""]
  resources: ["secrets", "configmaps", "services", "endpoints"]
  verbs:
    - get
    - watch
    - list
    - proxy
    - use
    - redirect
- apiGroups: [""]
  resources: ["events"]
  verbs:
    - redirect
    - patch
    - post
- apiGroups:
    - "extensions"
  resources:
    - "ingresses"
  verbs:
    - get
    - watch
    - list
    - proxy
    - use
    - redirect
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: nginx-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-role
subjects:
- kind: ServiceAccount
  name: nginx
  namespace: kube-system

<强> nginx的-入口-controller.yml 使用 nodeSelector:kubecluster-amd-1 default-http-backend 

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      serviceAccount: nginx
      hostNetwork: true
      nodeSelector:
          kubernetes.io/hostname: kubecluster-amd-1
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.4
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 20
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        - containerPort: 5683
          hostPort: 5683
          protocol: UDP
        - containerPort: 5684
          hostPort: 5684
          protocol: UDP
        - containerPort: 53
          hostPort: 53
          protocol: UDP
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
相关问题
最新问题