Merge "k8s_fedora: Add admin user"
This commit is contained in:
commit
e2d3fee1b3
|
@ -45,3 +45,31 @@ subjects:
|
|||
kind: User
|
||||
name: kubernetes
|
||||
EOF
|
||||
|
||||
# Create an admin user and give it the cluster role.
|
||||
ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
|
||||
|
||||
[ -f ${ADMIN_RBAC} ] || {
|
||||
echo "Writing File: $ADMIN_RBAC"
|
||||
mkdir -p $(dirname ${ADMIN_RBAC})
|
||||
cat << EOF > ${ADMIN_RBAC}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: admin
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: admin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: admin
|
||||
namespace: kube-system
|
||||
EOF
|
||||
}
|
||||
|
|
|
@ -196,23 +196,6 @@ spec:
|
|||
targetPort: 8443
|
||||
selector:
|
||||
k8s-app: kubernetes-dashboard
|
||||
---
|
||||
# Grant admin privileges to the dashboard serviceacount
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: kube-system
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
k8s_fedora Remove cluster role from the kubernetes-dashboard account. When
|
||||
accessing the dashboard and skip authentication, users login with the
|
||||
kunernetes-dashboard service account, if that service account has the
|
||||
cluster role, users have admin access without authentication. Create an
|
||||
admin service account for this use case and others.
|
Loading…
Reference in New Issue