filebeat-rbac.yaml
1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: filebeat
namespace: logging
labels:
k8s-app: filebeat
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: filebeat
labels:
k8s-app: filebeat
rules:
# 允许访问集群级别的资源
- apiGroups: [""]
resources:
- nodes
- namespaces
- events
- configmaps
verbs: ["get", "list", "watch"]
# 允许访问 Pod 信息
- apiGroups: [""]
resources:
- pods
- pods/logs
verbs: ["get", "list", "watch"]
# 允许访问节点指标
- apiGroups: [""]
resources:
- nodes/stats
verbs: ["get"]
# 如果使用 Kubernetes 元数据,需要这些权限
- apiGroups: [""]
resources:
- services
verbs: ["get", "list", "watch"]
# 对于扩展 API 的支持
- apiGroups: ["extensions"]
resources:
- replicasets
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- statefulsets
- deployments
- replicasets
verbs: ["get", "list", "watch"]
# 对于自动发现功能
- apiGroups: [""]
resources:
- services
- pods
verbs: ["get", "list", "watch"]
# 允许访问端点
- apiGroups: [""]
resources:
- endpoints
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: filebeat
subjects:
- kind: ServiceAccount
name: filebeat
namespace: logging
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io