k8s_fedora: Add admin user
Add an admin service account and give it the cluster role. It can be used for access apps with token authentication like the kubernetes-dashboard. Remove the cluster role from the dashboard service account. Change-Id: I7980c0e72b0d71921e42af7338d02b8a1e563c34 Closes-Bug: #1766284
This commit is contained in:
parent
3975ca35bf
commit
91d5229b9c
|
@ -45,3 +45,31 @@ subjects:
|
|||
kind: User
|
||||
name: kubernetes
|
||||
EOF
|
||||
|
||||
# Create an admin user and give it the cluster role.
|
||||
ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
|
||||
|
||||
[ -f ${ADMIN_RBAC} ] || {
|
||||
echo "Writing File: $ADMIN_RBAC"
|
||||
mkdir -p $(dirname ${ADMIN_RBAC})
|
||||
cat << EOF > ${ADMIN_RBAC}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: admin
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: admin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: admin
|
||||
namespace: kube-system
|
||||
EOF
|
||||
}
|
||||
|
|
|
@ -196,23 +196,6 @@ spec:
|
|||
targetPort: 8443
|
||||
selector:
|
||||
k8s-app: kubernetes-dashboard
|
||||
---
|
||||
# Grant admin privileges to the dashboard serviceacount
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: kube-system
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
k8s_fedora Remove cluster role from the kubernetes-dashboard account. When
|
||||
accessing the dashboard and skip authentication, users login with the
|
||||
kunernetes-dashboard service account, if that service account has the
|
||||
cluster role, users have admin access without authentication. Create an
|
||||
admin service account for this use case and others.
|
Loading…
Reference in New Issue