使用RBAC for Grafana在Kubernetes中创建集群范围的只读用户

时间:2019-09-26 03:06:21

标签: kubernetes ansible certificate grafana rbac

我正在尝试提供一个用户,以便Grafana能够监视我的群集的资源。我遵循了Bitnami指南here。并将这些步骤实施为发现here的Ansible剧本。

Here是用户使用的ClusterRole,here是绑定到用户的方式。

但是,尽管如此,当我使用生成的证书进行配置时,Grafana仍会引发this错误。

此外,如果我尝试在用户上下文中运行任何命令,则表明我未经授权。

$> kubectl --context=grafana-prometheus-scraper get pods -n grafana
error: You must be logged in to the server (Unauthorized)

有什么想法吗?

2 个答案:

答案 0 :(得分:1)

这就是您的ServiceAccount ClusterRole and ClusterRoleBinding的样子。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: grafana-prometheus-scraper

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: grafana-prometheus-scraper
rules:
  - apiGroups: [""]
    resources:
      - configmaps
      - secrets
      - nodes
      - pods
      - services
      - resourcequotas
      - replicationcontrollers
      - limitranges
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling.k8s.io"]
    resources:
      - verticalpodautoscalers
    verbs: ["list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-prometheus-scraper
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana-prometheus-scraper
subjects:
- kind: ServiceAccount
  name: grafana-prometheus-scraper

在创建集群角色时不必指定名称空间,因为这适用于整个集群。如果要限制对特定名称空间的访问,则应使用Role和RoleBinding。

我强烈建议在“ Medium”上刊登关于Configuring RBAC For Your Kubernetes Service Accounts的非常好的文章。

答案 1 :(得分:0)

kubernetes中没有用户对象。创建一个服务帐户,并在clusterrolebinding中更新该帐户。

subjects:
    - kind: User
      name: grafana-prometheus-scraper
相关问题
最新问题