使用 RBAC for Grafana 在 Kubernetes 中创建集群范围的只读用户

Question

我正在尝试配置用户，以便 Grafana 能够监控我的集群资源。我遵循了 Bitnami 指南here。并将这些步骤作为 Ansible playbook 找到 here。

Here 是用户使用的 ClusterRole，here 是它与用户的绑定方式。

然而，尽管如此，当我使用生成的证书配置 Grafana 时，它会引发 this 错误。

此外，如果我尝试使用用户上下文运行任何命令，它会说我未经授权。

$> kubectl --context=grafana-prometheus-scraper get pods -n grafana
error: You must be logged in to the server (Unauthorized)

有什么想法吗？

Answer 1

这就是您的 ServiceAccount ClusterRole and ClusterRoleBinding 的样子。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: grafana-prometheus-scraper

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: grafana-prometheus-scraper
rules:
  - apiGroups: [""]
    resources:
      - configmaps
      - secrets
      - nodes
      - pods
      - services
      - resourcequotas
      - replicationcontrollers
      - limitranges
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling.k8s.io"]
    resources:
      - verticalpodautoscalers
    verbs: ["list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-prometheus-scraper
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana-prometheus-scraper
subjects:
- kind: ServiceAccount
  name: grafana-prometheus-scraper

创建集群角色时不必指定命名空间，因为这适用于整个集群。如果你想限制对特定命名空间的访问，你应该使用 Role 和 RoleBinding。

Medium上有一篇关于Configuring RBAC For Your Kubernetes Service Accounts的非常好的文章，我强烈推荐。

Answer 2

kubernetes 中没有用户对象。创建一个服务帐户并在 clusterrolebinding 中更新它。

subjects:
    - kind: User
      name: grafana-prometheus-scraper