Rancher 創建 Read-Only Administrator 權限

# Rancher 創建 Read-Only Administrator 權限 * 唯讀管理員可以存取所有叢集的所有資源 ## 實作 1. 在 local 叢集匯入以下 yaml ``` apiVersion: management.cattle.io/v3 builtin: false context: cluster description: '' displayName: View Cluster Resources for Readonly Admin external: false hidden: true kind: RoleTemplate metadata: name: cluster-readonly-view rules: - apiGroups: - '' resources: - secrets verbs: - get - list - watch - apiGroups: - catalog.cattle.io resources: - clusterrepos - apps verbs: - get - list - watch - apiGroups: - management.cattle.io resourceNames: - local resources: - clusters verbs: - get ``` ``` apiVersion: management.cattle.io/v3 builtin: false displayName: Read-Only Administrator inheritedClusterRoles: - projects-view - nodes-view - cluster-readonly-view kind: GlobalRole metadata: name: global-read-only rules: - apiGroups: - management.cattle.io resources: - projectroletemplatebindings - clusterroletemplatebindings verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - globalroles - globalrolebindings verbs: - get - list - watch - apiGroups: - project.cattle.io resources: - apps verbs: - get - list - watch - apiGroups: - project.cattle.io resources: - apprevisions verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - nodes - nodepools verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - roletemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clusterevents verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - notifiers verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - notificationtemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - projectalertgroups - projectalertrules verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - projectloggings verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clusteralertgroups - clusteralertrules verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clustercatalogs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - projectcatalogs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - projectmonitorgraphs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - catalogtemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - catalogtemplateversions verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - projects verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clusters verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - principals verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - users - userattribute - groups - groupmembers verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clusterloggings verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - clustermonitorgraphs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - preferences verbs: - '*' - apiGroups: - management.cattle.io resources: - settings verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - features verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - templates - templateversions - catalogs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - nodedrivers verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - kontainerdrivers verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - operatorsettings verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - podsecuritypolicytemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - nodetemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - multiclusterapps - globaldnses - globaldnsproviders - clustertemplaterevisions - clustertemplates verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - rkek8ssystemimages verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - rkek8sserviceoptions verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - rkeaddons verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - cisconfigs verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - cisbenchmarkversions - clusterscans verbs: - get - list - watch - apiGroups: - management.cattle.io resources: - etcdbackups verbs: - get - list - watch - apiGroups: - catalog.cattle.io resources: - clusterrepos verbs: - get - list - watch - apiGroups: - provisioning.cattle.io resources: - clusters verbs: - get - list - watch - apiGroups: - '' resources: - nodes verbs: - get - list - watch - apiGroups: - '*' resources: - secrets verbs: - get - list - watch ``` 2. 建立一個新使用者 ![image](https://hackmd.io/_uploads/By5n5Nobkx.png) 3. 權限只選擇 `Read-Only Administrator` ![image](https://hackmd.io/_uploads/HJ3ojNiWyl.png) 4. 登入 rancher 對所有叢集都是唯讀 ![image](https://hackmd.io/_uploads/rk_l3Eo-yx.png)