kubernetes user permission management tool permission-manager

Permission Manager

Permission Manager is a project that provides Web UI for Kubernetes RBAC and user management, and provides a friendly visual interface for Kubernetes permission management.

installation

Download the yaml file from https://github.com/sighupio/permission-manager/tree/master/deployments/kubernetes , as follows

[root@qd01-stop-k8s-master001 kubernetes]# ll
total 4
-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml
drwxr-xr-x 2 root root   37 Jan 28 11:14 seeds

Create namespace

[root@qd01-stop-k8s-master001 kubernetes]# kubectl create namespace permission-manager
namespace/permission-manager created

Create a secret and update accordingly

[rancher@qd01-stop-k8snode011 permission-manager]$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: permission-manager
  namespace: permission-manager
type: Opaque
stringData:
  PORT: "4000" # port where server is exposed
  CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file
  CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file
  BASIC_AUTH_PASSWORD: "k8sAdmin" # password used by basic auth (username is `admin`)

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f secret.yaml
secret/permission-manager created

deploy

[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f crd.yml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created

[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f seed.yml
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f deploy.yml
service/permission-manager created
deployment.apps/permission-manager created
serviceaccount/permission-manager created
clusterrole.rbac.authorization.k8s.io/permission-manager created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/permission-manager created

The permission-manager is deployed above, the warning information can be ignored or modified by yourself in the yaml file api version to rbac.authorization.k8s.io/v1

Use ingress to expose services

Create ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: permission-manager-ingress
  namespace: permission-manager
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: permission.kubeops.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: permission-manager
            port:
              number: 4000

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f ingress.yaml
[root@qd01-stop-k8s-master001 kubernetes]# kubectl get ing -n permission-manager
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME                         CLASS    HOSTS                  ADDRESS                     PORTS   AGE
permission-manager-ingress   <none>   permission.kubeops.net   10.26.29.202,10.26.29.203   80      4m8s

Add dns resolution by yourself, then visit permission.kubeops.net in the browser and log in with the username and password (set in secret)

log in

kubernetes user permission management tool permission-manager
There are currently no users, we can create a normal user test

Create user

Click Create New User to
kubernetes user permission management tool permission-manager
fill in the relevant information

and then click Save to
view the generated config file under user information

test

Save the config file, and then use this configuration file to access the cluster.
Here I copy the config file to the local, rename it to scofield, and use kubectl to test

[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield  get po
No resources found in default namespace.

[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield  get po -n argo
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "" in the namespace "argo"

It can be seen from the above output that the two namespaces I queried respectively are default and argo, but only the default namespace has permissions, and the argo namespace does not have permission to operate. This is consistent with the permissions we gave when creating a user.
For more information, please check the official website