啓用RBAC的kubernetes中的nginx設置

Question

從Kubernetes v1.6開始，RBAC授權功能在默認情況下處於啓用狀態。這意味着我對v1.5的部署/配置不再有效。

一個關鍵部件，向其中我需要授予訪問權限是nginx的，否則像到一個消息之後可在日誌

F0425 15:08:07.246596  1 main.go:116] no service with name kube-system/default-http-backend found: the server does not allow access to the requested resource (get services default-http-backend) 

Answer 1

修訂可以看出：kubernetes/nginx的具有更新的文件here

OLD：

爲了支持RBAC，我們需要兩樣東西：

• 定義servciceAccount/ClusterRole/ClusterRoleBindings
• 設置serviceAccount爲nginx的部署

下面是我用它來設置它的文件：

nginx的-roles.yml

--- 
apiVersion: v1 
kind: ServiceAccount 
metadata: 
    name: nginx 
    namespace: kube-system 
--- 
kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
    name: nginx-role 
rules: 
- apiGroups: [""] 
    resources: ["secrets", "configmaps", "services", "endpoints"] 
    verbs: 
    - get 
    - watch 
    - list 
    - proxy 
    - use 
    - redirect 
- apiGroups: [""] 
    resources: ["events"] 
    verbs: 
    - redirect 
    - patch 
    - post 
- apiGroups: 
    - "extensions" 
    resources: 
    - "ingresses" 
    verbs: 
    - get 
    - watch 
    - list 
    - proxy 
    - use 
    - redirect 
--- 
kind: ClusterRoleBinding 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
    name: nginx-role 
roleRef: 
    apiGroup: rbac.authorization.k8s.io 
    kind: ClusterRole 
    name: nginx-role 
subjects: 
- kind: ServiceAccount 
    name: nginx 
    namespace: kube-system 

nginx-ingress-controller.yml 與nodeSelector：kubecluster-AMD-1和默認-HTTP-後端使用

apiVersion: extensions/v1beta1 
kind: Deployment 
metadata: 
    name: nginx-ingress-controller 
    labels: 
    k8s-app: nginx-ingress-controller 
    namespace: kube-system 
spec: 
    replicas: 1 
    template: 
    metadata: 
     labels: 
     k8s-app: nginx-ingress-controller 
    spec: 
     serviceAccount: nginx 
     hostNetwork: true 
     nodeSelector: 
      kubernetes.io/hostname: kubecluster-amd-1 
     terminationGracePeriodSeconds: 60 
     containers: 
     - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.4 
     name: nginx-ingress-controller 
     readinessProbe: 
      httpGet: 
      path: /healthz 
      port: 10254 
      scheme: HTTP 
     livenessProbe: 
      httpGet: 
      path: /healthz 
      port: 10254 
      scheme: HTTP 
      initialDelaySeconds: 20 
      timeoutSeconds: 1 
     ports: 
     - containerPort: 80 
      hostPort: 80 
     - containerPort: 443 
      hostPort: 443 
     - containerPort: 5683 
      hostPort: 5683 
      protocol: UDP 
     - containerPort: 5684 
      hostPort: 5684 
      protocol: UDP 
     - containerPort: 53 
      hostPort: 53 
      protocol: UDP 
     env: 
      - name: POD_NAME 
      valueFrom: 
       fieldRef: 
       fieldPath: metadata.name 
      - name: POD_NAMESPACE 
      valueFrom: 
       fieldRef: 
       fieldPath: metadata.namespace 
     args: 
     - /nginx-ingress-controller 
     - --default-backend-service=$(POD_NAMESPACE)/default-http-backend