Add privilege control for Kubernetes dashboard access users

1. demand

To create application deployment management privileges for developers in the development environment, you can log in using dashboard's token and kubeconfig files, install the kubectl command on the developer's machine, and use the kubectl port-forward command.

2. plan

Because we use dashboard and kubeapps, their rbac permissions are allocated.
Create namespace: dev
Create Service Account: dev-user1
Give the appropriate permissions and bind Service Account.

3. implementation

3.1 Assign dashboard permissions

kubectl apply -f dev-user1.yaml

---
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user1
  namespace: dev

---
# role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: role-dev-user1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete", "update", "patch"]
- apiGroups: [""]
  resources: ["pods/portforward", "pods/proxy"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
  resources: ["replicasets"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "watch", "list"]

---
# role bind
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-dev-user1
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-user1
  namespace: dev
roleRef:
  kind: Role
  name: role-dev-user1
  apiGroup: rbac.authorization.k8s.io

#---
## clusterrole
#kind: ClusterRole
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  namespace: dev
#  name: clusterrole-dev-user1
#rules:
#- apiGroups: [""]
#  resources: ["namespaces"]
#  verbs: ["get", "watch", "list"]
#
#---
## clusterrole bind
#kind: ClusterRoleBinding
#apiVersion: rbac.authorization.k8s.io/v1
#metadata:
#  name: clusterrole-bind-dev-user1
#  namespace: dev
#subjects:
#- kind: ServiceAccount
#  name: dev-user1
#  namespace: dev
#roleRef:
#  kind: ClusterRole
#  name: clusterrole-dev-user1
#  apiGroup: rbac.authorization.k8s.io

3.2 Allocate kubeapps permissions

kubectl apply -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-applications-read.yaml
kubectl create -n dev rolebinding dev-user1-view \
  --clusterrole=kubeapps-applications-read \
  --serviceaccount dev:dev-user1

export KUBEAPPS_NAMESPACE=kubeapps
kubectl apply -n $KUBEAPPS_NAMESPACE -f https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/user/manifests/kubeapps-repositories-read.yaml
kubectl create -n dev rolebinding dev-user1-edit \
  --clusterrole=edit \
  --serviceaccount dev:dev-user1
kubectl create -n $KUBEAPPS_NAMESPACE rolebinding dev1-user1-kubeapps-repositories-read \
  --role=kubeapps-repositories-read \
  --serviceaccount dev:dev-user1

token gets:

kubectl get -n dev secret $(kubectl get -n dev serviceaccount dev-user1 -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode

3.3 Generating kubeconfig

Accessing kube-apiserver through token

# Create a kubectl config file
# Setting cluster parameters
kubectl config set-cluster kubernetes \
  --insecure-skip-tls-verify=true \
  --server="https://192.168.105.99:8443"
# Setting Client Authentication Parameters
kubectl config set-credentials dev-user1 \
  --token='Obtained above token' 
# Setting context parameters
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=dev-user1  \
  --namespace=dev 
# Setting default context
kubectl config use-context kubernetes

You can also create the file config directly and modify the content.

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://192.168.105.99:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: dev-user1
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-user1
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXVzZXIxLXRva2VuLTJsbDlnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZX291bnQubmFtZSI6ImRldi11c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiY2Q4N2E1LWM0NGEtMTFlOC1iY2I5LTAwMGMyOWVhM2UzMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZXY6ZGV2LXVzZXIxIn0.1M84CPHY-GoyeaRFyBcD49GTwG5o0HMhN8lVsH9GDiqdui-1ppyi3JMONRJ9aWdswEF7-wsb5d4MQEk-9z5yiVh2r8SMP0EhcUR5ierntzD1bwwwuYzDxE4vHAuPB1tTxM0fOL3H-BOjt68iBKmOtRJumx8LzSUleQiNBBqR1B_yRLqrO6yslw44WC432O5g1v

4. Test Verification

windows kubectl command installation

Command download:
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe

Then put it in the system PATH directory, such as c: Windows
When using commands, you can use cmd, power shell, or other command prompt line tools. Git Bash is recommended because it is installed.

kubeconfig file
The kubeconfig file is the config file generated in the above file.
The file name is config, and the file is placed under /.kube/(User's home directory), because the kubectl command reads the file by default, otherwise, every time the kubectl command is used, it needs to be specified with the parameter - Kube config = configpath.

kubectl get pod -n dev
kubectl port-forward svc/dev-mysql-mysqlha 3306:3306 -n dev

Reference material:
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[2] https://blog.qikqiak.com/post/add-authorization-for-kubernetes-dashboard/
[3] https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md
[4] https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
[5] https://kubernetes.io/docs/tasks/tools/install-kubectl/#configure-kubectl