Kubernetes user permission management tool Permission-manager

Permission Manager

Permission Manager is a project that provides a Web UI for Kubernetes RBAC and user management, providing a friendly visual interface for Kubernetes Permission management.

The installation

From github.com/sighupio/pe… Download the YAML file as follows

[root@qd01-stop-k8s-master001 kubernetes]# ll
total 4
-rw-r--r-- 1 root root 2697 Jan 28 11:08 deploy.yml
drwxr-xr-x 2 root root   37 Jan 28 11:14 seeds
Copy the code

Create a namespace

[root@qd01-stop-k8s-master001 kubernetes]# kubectl create namespace permission-manager
namespace/permission-manager created
Copy the code

Create a secret and update it accordingly

[rancher@qd01-stop-k8snode011 permission-manager]$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: permission-manager
  namespace: permission-manager
type: Opaque
stringData:
  PORT: "4000" # port where server is exposed
  CLUSTER_NAME: "kubernetes-cluster" # name of the cluster to use in the generated kubeconfig file
  CONTROL_PLANE_ADDRESS: "https://10.26.29.208:6443" # full address of the control plane to use in the generated kubeconfig file
  BASIC_AUTH_PASSWORD: "k8sAdmin" # password used by basic auth (username is `admin`)
Copy the code

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f secret.yaml
secret/permission-manager created
Copy the code

The deployment of

[root@qd01-stop-k8s-master001 seeds]# kubectl apply -f crd.yml Warning: Apiextensions. K8s. IO/v1beta1 CustomResourceDefinition is deprecated in v1.16 +, unavailable in v1.22 +; use apiextensions.k8s.io/v1 CustomResourceDefinition customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created [root@qd01-stop-k8s-master001 seeds]# kubectl apply -f seed.yml clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created [root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f deploy.yml service/permission-manager created deployment.apps/permission-manager created serviceaccount/permission-manager created clusterrole.rbac.authorization.k8s.io/permission-manager created Warning: . Rbac authorization. K8s. IO/v1beta1 ClusterRoleBinding is deprecated in v1.17 +, unavailable in v1.22 +; use rbac.authorization.k8s.io/v1 ClusterRoleBinding clusterrolebinding.rbac.authorization.k8s.io/permission-manager createdCopy the code

Above permission – deployment manager was set up, Warning information can be ignored or to modify the yaml file API version for rbac. Authorization. K8s. IO/v1

Use the Ingress exposure service

Create ingress. Yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: permission-manager-ingress
  namespace: permission-manager
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: permission.ieasou.cn
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: permission-manager
            port:
              number: 4000
Copy the code

[root@qd01-stop-k8s-master001 kubernetes]# kubectl apply -f ingress.yaml [root@qd01-stop-k8s-master001 kubernetes]# kubectl get ing -n permission-manager Warning: Extensions /v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress NAME CLASS HOSTS ADDRESS PORTS AGE permission-manager-ingress <none> Permission. Ieasou. Cn 10.26.29.202, 4 m8s 10.26.29.203 80Copy the code

Add your own DNS resolution, then the browser accesses Permission-ieasou.cn and logs in with the username and password (set in Secret)

The login

Currently there are no users, we can create a normal user test under

Create a user

Click Create New UserFill in the relevant informationThen click Save to view the generated Config file under user information

test

Save the config file and use it to access the cluster. I’ll copy the config file locally, rename it scofield, and use Kubectl to test it

[root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po No resources found in default namespace.  [root@qd01-stop-k8s-master001 kubernetes]# kubectl --kubeconfig=scofield get po -n argo Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:scofield" cannot list resource "pods" in API group "" in the namespace "argo"Copy the code

As can be seen from the above output, the two namespaces I queried are default and Argo respectively, but only the default namespace has the permission, while the Argo namespace does not have the permission to operate. This is consistent with the permissions we granted when we created the user. For more information, check out the official website