如何在 kubernetes 仪表板中限制命名空间
[英]How to restrict namespace in kubernetes dashboard
问题描述
my kubernetes dashboard is running successfully and its showing all the namespaces which are available in kubernetes cluster.
我的 kubernetes 仪表板运行成功,它显示了 kubernetes 集群中可用的所有命名空间。
Example:- Available Namespaces:- A, B , C , D , E示例:- 可用命名空间:- A, B , C , D , E
Now I want to remove/restrict one namespace(say D) from the kubernetes dashboard.现在我想从 kubernetes 仪表板中删除/限制一个命名空间(比如 D)。 How it will be possible.怎么可能。
Used helm to deploy kubernetes dashboard, Below is the link of repo.使用 helm 部署 kubernetes 仪表板,下面是 repo 的链接。
https://github.com/kubernetes/dashboard/tree/master/aio/deploy/helm-chart/kubernetes-dashboard
dashboard version:- v2.0.0-rc7
kubernetes version :- 1.17
OR或者
Is it possible to mask some environment variable(showing in dashboard) which is having sensitive data , then I will keep my namespace as it is.是否可以屏蔽一些具有敏感数据的环境变量(显示在仪表板中),然后我将保留我的命名空间。
2 个解决方案
解决方案1
0 2020-10-28 14:38:57
FWIW, I don't think this is going to be possible with the base Kubernetes dashboard setup. FWIW,我认为使用基本的 Kubernetes 仪表板设置是不可能的。 The reason is that Kubernetes RBAC doesn't allow for the concept of having GET access to some but not all resources of a given type (AFAIK).原因是 Kubernetes RBAC 不允许对给定类型 (AFAIK) 的某些但不是所有资源进行 GET 访问的概念。
So when it lists the available namespaces, it'll need to have GET on the namespace resource, but there's no concept of GET "all the namespaces apart from this one"因此,当它列出可用的命名空间时,它需要对命名空间资源进行 GET,但没有“除此之外的所有命名空间”的 GET 概念
With correct RBAC, you might be able to stop it seeing anything past the namespace name but I'd guess that's not going to be part of the default manifests.使用正确的 RBAC,您可能能够阻止它看到名称空间名称之后的任何内容,但我猜这不会成为默认清单的一部分。
One option you might be able to look at, is deploying a separate instance of kubernetes dashboard in each namespace and giving users rights to those separate instances.您可能会看到的一个选项是在每个命名空间中部署一个单独的 kubernetes 仪表板实例,并授予用户对这些单独实例的权限。 There's some examples of that here .有几个相关的例子在这里。
Another thing, if you're looking for visualisation of cluster resources, could be to look at something like octant which operates client-side using the users kubeconfig file.另一件事,如果您正在寻找集群资源的可视化,可以查看类似八分仪之类的东西,它使用用户 kubeconfig 文件在客户端运行。
解决方案2
0 2020-10-28 14:44:10
This is not possible.这不可能。
There is no such flag or evironment variable that I know of nor could find in documentation.我知道也没有在文档中找到这样的标志或环境变量。
The only possible way to restrict access would be by specific RBAC rules, but you need to remember that these are additive only.限制访问的唯一可能方法是通过特定的 RBAC 规则,但您需要记住这些只是附加的。 You cannot remove access to resources, you can only add rules.您无法删除对资源的访问权限,只能添加规则。 You would need to create a user that has a Role in every namespace except for namespace 'D' and then accessing the dashboard as this user you would be disallowed access to the namespace D since you did not allowed it in the first place.您需要创建一个在除命名空间“D”之外的每个命名空间中都有一个角色的用户,然后以该用户身份访问仪表板,您将被禁止访问命名空间 D,因为您首先不允许它。
That is all you can do.这就是你所能做的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.