k8s_fedora: Add admin user
Add an admin service account and give it the cluster role. It can be used for access apps with token authentication like the kubernetes-dashboard. Remove the cluster role from the dashboard service account. Change-Id: I7980c0e72b0d71921e42af7338d02b8a1e563c34 Closes-Bug: #1766284
This commit is contained in:
parent
3975ca35bf
commit
91d5229b9c
|
@ -45,3 +45,31 @@ subjects:
|
||||||
kind: User
|
kind: User
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# Create an admin user and give it the cluster role.
|
||||||
|
ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
|
||||||
|
|
||||||
|
[ -f ${ADMIN_RBAC} ] || {
|
||||||
|
echo "Writing File: $ADMIN_RBAC"
|
||||||
|
mkdir -p $(dirname ${ADMIN_RBAC})
|
||||||
|
cat << EOF > ${ADMIN_RBAC}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: admin
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: admin
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cluster-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: admin
|
||||||
|
namespace: kube-system
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
|
@ -196,23 +196,6 @@ spec:
|
||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
selector:
|
selector:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: kubernetes-dashboard
|
||||||
---
|
|
||||||
# Grant admin privileges to the dashboard serviceacount
|
|
||||||
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: kubernetes-dashboard
|
|
||||||
labels:
|
|
||||||
k8s-app: kubernetes-dashboard
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cluster-admin
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: kubernetes-dashboard
|
|
||||||
namespace: kube-system
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
k8s_fedora Remove cluster role from the kubernetes-dashboard account. When
|
||||||
|
accessing the dashboard and skip authentication, users login with the
|
||||||
|
kunernetes-dashboard service account, if that service account has the
|
||||||
|
cluster role, users have admin access without authentication. Create an
|
||||||
|
admin service account for this use case and others.
|
Loading…
Reference in New Issue