Permission Manager
Permission Manager is a project that provides Web UI for Kubernetes RBAC and user management, and provides a friendly visual interface for Kubernetes permission management.
installation
Download the yaml file from https://github.com/sighupio/permission-manager/tree/master/deployments/kubernetes , as follows
[root@qd01-stop-k8s-master001 kubernetes]# ll
total 4
-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml
drwxr-xr-x 2 root root 37 Jan 28 11:14 seeds
Create namespace
[root@qd01-stop-k8s-master001 kubernetes]# kubectl create namespace permission-manager
namespace/permission-manager created
Create a secret and update accordingly
[rancher@qd01-stop-k8snode011 permission-manager]$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: permission-manager
namespace: permission-manager
type: Opaque
stringData:
PORT: "4000" # port where server is exposed
CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file
CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file
BASIC_AUTH_PASSWORD: "k8sAdmin" # password used by basic auth (username is `admin`)
[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f secret.yaml
secret/permission-manager created
deploy
[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f crd.yml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created
[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f seed.yml
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f deploy.yml
service/permission-manager created
deployment.apps/permission-manager created
serviceaccount/permission-manager created
clusterrole.rbac.authorization.k8s.io/permission-manager created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/permission-manager created
The permission-manager is deployed above, the warning information can be ignored or modified by yourself in the yaml file api version to rbac.authorization.k8s.io/v1
Use ingress to expose services
Create ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: permission-manager-ingress
namespace: permission-manager
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: permission.kubeops.net
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: permission-manager
port:
number: 4000
[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f ingress.yaml
[root@qd01-stop-k8s-master001 kubernetes]# kubectl get ing -n permission-manager
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
permission-manager-ingress <none> permission.kubeops.net 10.26.29.202,10.26.29.203 80 4m8s
Add dns resolution by yourself, then visit permission.kubeops.net in the browser and log in with the username and password (set in secret)
log in
There are currently no users, we can create a normal user test
Create user
Click Create New User to
fill in the relevant information
and then click Save to
view the generated config file under user information
test
Save the config file, and then use this configuration file to access the cluster.
Here I copy the config file to the local, rename it to scofield, and use kubectl to test
[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po
No resources found in default namespace.
[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po -n argo
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "" in the namespace "argo"
It can be seen from the above output that the two namespaces I queried respectively are default and argo, but only the default namespace has permissions, and the argo namespace does not have permission to operate. This is consistent with the permissions we gave when creating a user.
For more information, please check the official website