启用 RBAC 的 Kubernetes 中的 nginx 设置答案

【问题标题】：nginx setup in kubernetes with RBAC enabled启用 RBAC 的 Kubernetes 中的 nginx 设置
【发布时间】：2018-06-27 16:02:21
【问题描述】：

从 Kubernetes v1.6 开始，RBAC 授权功能默认启用。这意味着我为 v1.5 进行的部署/配置不再有效。

我需要授予访问权限的关键组件之一是 nginx，否则日志中会显示类似以下的消息

F0425 15:08:07.246596       1 main.go:116] no service with name kube-system/default-http-backend found: the server does not allow access to the requested resource (get services default-http-backend)

【问题讨论】：

标签： nginx kubernetes rbac

【解决方案1】：

已更新：kubernetes/nginx 已更新文档here 以及有关 RBAC 的详细信息，here

旧：

为了支持 RBAC，我们需要做两件事：

定义 servciceAccount/ClusterRole/ClusterRoleBindings
为 nginx 部署设置 serviceAccount

这里是我用来设置它的文件：

nginx-roles.yml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: nginx-role
rules:
- apiGroups: [""]
  resources: ["secrets", "configmaps", "services", "endpoints"]
  verbs:
    - get
    - watch
    - list
    - proxy
    - use
    - redirect
- apiGroups: [""]
  resources: ["events"]
  verbs:
    - redirect
    - patch
    - post
- apiGroups:
    - "extensions"
  resources:
    - "ingresses"
  verbs:
    - get
    - watch
    - list
    - proxy
    - use
    - redirect
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: nginx-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-role
subjects:
- kind: ServiceAccount
  name: nginx
  namespace: kube-system

nginx-ingress-controller.yml 使用 nodeSelector: kubecluster-amd-1 和 default-http-backend

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      serviceAccount: nginx
      hostNetwork: true
      nodeSelector:
          kubernetes.io/hostname: kubecluster-amd-1
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.4
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 20
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        - containerPort: 5683
          hostPort: 5683
          protocol: UDP
        - containerPort: 5684
          hostPort: 5684
          protocol: UDP
        - containerPort: 53
          hostPort: 53
          protocol: UDP
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend

【讨论】：

nginx 究竟是如何获取权限的？我没有看到控制器和 ClusterRoleBinding 之间的连接
由ClusterRoleBinding中定义的ServiceAccount，然后在serviceAccount的pod的spec中使用
更新后的链接（github.com/kubernetes/ingress/tree/master/examples/rbac/nginx）现在无法访问，能否更新一下？
RBAC 文档位于github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/…。更新条目中的链接。