跳转至

容器管理权限说明

容器管理权限基于全局权限管理以及 Kubernetes RBAC 权限管理打造的多维度权限管理体系。 支持集群级、命名空间级的权限控制,帮助用户便捷灵活地对租户下的 IAM 用户、用户组(用户的集合)设定不同的操作权限。

集群权限

集群权限基于 Kubernetes RBAC 的 ClusterRolebinding 授权,集群权限设置可让用户/用户组具备集群相关权限。 目前的默认集群角色为 Cluster Admin (不具备集群的创建、删除权限)。

Cluster Admin

Cluster Admin 具有以下权限:

  • 可管理、编辑、查看对应集群

  • 管理、编辑、查看 命名空间下的所有工作负载及集群内所有资源

  • 可授权用户为集群内角色 (Cluster Admin、NS Admin、NS Editor、NS Viewer)

该集群角色的 YAML 示例如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kpanda.io/creator: system
  creationTimestamp: "2022-06-16T09:42:49Z"
  labels:
    iam.kpanda.io/role-template: "true"
  name: role-template-cluster-admin
  resourceVersion: "15168"
  uid: f8f86d42-d5ef-47aa-b284-097615795076
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

命名空间权限

命名空间权限是基于 Kubernetes RBAC 能力的授权,可以实现不同的用户/用户组对命名空间下的资源具有不同的操作权限(包括 Kubernetes API 权限),详情可参考:Kubernetes RBAC。目前容器管理的默认角色为:NS Admin、NS Editor、NS Viewer。

NS Admin

NS Admin 具有以下权限:

  • 可查看对应命名空间
  • 管理、编辑、查看 命名空间下的所有工作负载,及自定义资源
  • 可授权用户为对应命名空间角色 (NS Editor、NS Viewer)

该集群角色的 YAML 示例如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kpanda.io/creator: system
  creationTimestamp: "2022-06-16T09:42:49Z"
  labels:
    iam.kpanda.io/role-template: "true"
  name: role-template-ns-admin
  resourceVersion: "15173"
  uid: 69f64c7e-70e7-4c7c-a3e0-053f507f2bc3
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'    

NS Editor

NS Editor 具有以下权限:

  • 可查看对应有权限的命名空间
  • 管理、编辑、查看 命名空间下的所有工作负载
点击查看集群角色的 YAML 示例
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kpanda.io/creator: system
  creationTimestamp: "2022-06-16T09:42:50Z"
  labels:
    iam.kpanda.io/role-template: "true"
  name: role-template-ns-edit
  resourceVersion: "15175"
  uid: ca9e690e-96c0-4978-8915-6e4c00c748fe
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - '*'
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - '*'
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - '*'
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - '*'
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - '*'      

NS Viewer

NS Viewer 具有以下权限:

  • 可查看对应命名空间
  • 可查看对应命名空间下的所有工作负载,及自定义资源
点击查看集群角色的 YAML 示例
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kpanda.io/creator: system
  creationTimestamp: "2022-06-16T09:42:50Z"
  labels:
    iam.kpanda.io/role-template: "true"
  name: role-template-ns-view
  resourceVersion: "15183"
  uid: 853888fd-6ee8-42ac-b91e-63923918baf8
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch 

权限 FAQ

  1. 全局权限和容器管理权限管理的关系?

    答:全局权限仅授权为粗粒度权限,可管理所有集群的创建、编辑、删除;而对于细粒度的权限,如单个集群的管理权限,单个命名空间的管理、编辑、删除权限,需要基于 Kubernetes RBAC 的容器管理权限进行实现。 一般权限的用户仅需要在容器管理中进行授权即可。

  2. 目前仅支持四个默认角色,后台自定义角色的 RoleBinding 以及 ClusterRoleBinding (Kubernetes 细粒度的 RBAC)是否也能生效?

    答:目前自定义权限暂时无法通过图形界面进行管理,但是通过 kubectl 创建的权限规则同样能生效。

评论