mirror of
https://github.com/kubesphere/website.git
synced 2025-12-31 19:12:49 +00:00
Translation ‘QuickStartCreate:Workspace, Project, Account and Role’ chapter, from en version to zh-cn
This commit is contained in:
siu
parent
3c3a3369f2
commit
e6be27ecbc
|
|
@ -1,252 +1,254 @@
|
|||
---
|
||||
title: "Create Workspace, Project, Account and Role"
|
||||
title: "创建工作区、项目、帐户和角色"
|
||||
keywords: 'KubeSphere, Kubernetes, Multi-tenant, Workspace, Account, Role, Project'
|
||||
description: 'Create Workspace, Project, Account and Role'
|
||||
|
||||
linkTitle: "Create Workspace, Project, Account and Role"
|
||||
linkTitle: "创建工作区、项目、帐户和角色"
|
||||
weight: 3030
|
||||
---
|
||||
|
||||
|
||||
## Objective
|
||||
## 目标
|
||||
|
||||
This guide demonstrates how to create roles and user accounts which are required for the following tutorials. Meanwhile, you will learn how to create projects and DevOps projects within your workspace where your workloads are running. After this tutorial, you will become familiar with KubeSphere multi-tenant management system.
|
||||
本指南演示如何创建以下教程所需的角色和用户帐户。同时,您将学习如何在工作负载运行的工作区中创建项目和 DevOps 工程。本教程之后,您将熟悉 KubeSphere 多租户管理系统。
|
||||
|
||||
## Prerequisites
|
||||
## 先决条件
|
||||
|
||||
KubeSphere needs to be installed in your machine.
|
||||
KubeSphere 需要安装在您的计算机中。
|
||||
|
||||
## Estimated Time
|
||||
## 估计时间
|
||||
|
||||
About 15 minutes.
|
||||
大约15分钟。
|
||||
|
||||
## Architecture
|
||||
## 架构
|
||||
|
||||
The multi-tenant system of KubeSphere features **three** levels of hierarchical structure which are cluster, workspace and project. A project in KubeSphere is a Kubernetes namespace.
|
||||
KubeSphere 的多租户系统具有**群集**、**工作区**和**项目**三个层次的层次结构。KubeSphere 中的项目是 Kubernetes 命名空间。
|
||||
|
||||
You can create multiple workspaces within a Kubernetes cluster. Under each workspace, you can also create multiple projects.
|
||||
您可以在 Kubernetes 集群中创建多个工作区。在每个工作区下,您还可以创建多个项目。
|
||||
|
||||
Each level has multiple built-in roles. Besides, KubeSphere allows you to create roles with customized authorization as well. The KubeSphere hierarchy is applicable for enterprise users with different teams or groups, and different roles within each team.
|
||||
每个级别都有多个内置角色。此外,KubeSphere 还允许您使用自定义授权创建角色。KubeSphere 层次结构适用于具有不同团队或组以及每个团队中不同角色的企业用户。
|
||||
|
||||
## Hands-on Lab
|
||||
## 动手实验
|
||||
|
||||
### Task 1: Create an Account
|
||||
### 任务 1:创建帐户
|
||||
|
||||
After KubeSphere is installed, you need to add different users with varied roles to the platform so that they can work at different levels on various resources. Initially, you only have one default account, which is admin, granted the role `platform-admin`. In the first task, you will create an account `user-manager` and further create more accounts as `user-manager`.
|
||||
安装 KubeSphere 之后,您需要向平台添加具有不同角色的不同用户,以便他们可以在各种资源上以不同级别工作。 最初,您只有一个默认帐户 admin ,被授予角色`platform-admin`。 在第一个任务中,您将创建一个帐户` user-manager`,并进一步创建更多像`user-manager`的账户。
|
||||
|
||||
1. Log in the web console as `admin` with the default account and password (`admin/P@88w0rd`).
|
||||
1. 使用默认帐户和密码(admin/P@88w0rd)以`admin`身份登录Web控制台。
|
||||
|
||||
{{< notice tip >}}
|
||||
|
||||
For account security, it is highly recommended that you change your password the first time you log in the console. To change your password, select **User Settings** in the drop-down menu in the top-right corner. In **Password Setting**, set a new password.
|
||||
为了帐户安全,强烈建议您在首次登录控制台时更改密码。 要更改密码,请在右上角的下拉菜单中选择**用户设置**。 在**密码设置**中,设置一个新密码。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
2. After you log in the console, click **Platform** in the top-left corner and select **Access Control**.
|
||||
2. 登录控制台后,单击左上角的**平台管理**,然后选择**访问控制**。
|
||||
|
||||
|
||||
|
||||
In **Account Roles**, there are four available built-in roles as shown below. The account to be created next will be assigned the role `users-manager`.
|
||||
在**帐户角色**中,有四个可用的内置角色,如下所示。 接下来要创建的帐户将被分配为`users-manager`角色。
|
||||
|
||||
| Built-in Roles | Description |
|
||||
| 内置角色 | 描述 |
|
||||
| ------------------ | ------------------------------------------------------------ |
|
||||
| workspaces-manager | Workspace manager in the platform who manages all workspaces in the platform. |
|
||||
| users-manager | User manager in the platform who manages all users. |
|
||||
| platform-regular | Normal user in the platform who has no access to any resources before joining a workspace or cluster. |
|
||||
| platform-admin | Platform administrator who can manage all resources in the platform. |
|
||||
| workspaces-manager | 平台企业空间管理员,管理平台所有企业空间。 |
|
||||
| users-manager | 平台用户管理员,管理平台所有用户。 |
|
||||
| platform-regular | 平台普通用户,在被邀请加入企业空间或集群之前没有任何资源操作权限。 |
|
||||
| platform-admin | 平台管理员,可以管理平台内的所有资源。 |
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
Built-in roles are created automatically by KubeSphere and cannot be edited or deleted.
|
||||
内置角色由 KubeSphere 自动创建,无法编辑或删除。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
3. In **Accounts**, click **Create**. In the pop-up window, provide all the necessary information (marked with *) and select `users-manager` for **Role**. Refer to the image below as an example.
|
||||
3. 在**账户管理**中,点击**创建**。 在弹出窗口中,提供所有必需的信息(带有*标记),然后为**角色**选择`users-manager`。 请参考下图作为示例。
|
||||
|
||||
|
||||
|
||||
Click **OK** after you finish. A newly-created account will display in the account list in **Accounts**.
|
||||
完成后,单击**确定**。 新创建的帐户将显示在**帐户管理**中的帐户列表中。
|
||||
|
||||
4. Log out of the console and log back in with the account `user-manager` to create four accounts that will be used in the following tutorials.
|
||||
4. 注销登录,退出控制台,然后使用`user-manager`帐户重新登录,创建四个帐户,这些帐户将在以下教程中使用。
|
||||
|
||||
{{< notice tip >}}
|
||||
|
||||
To log out, click your username in the top-right corner and select **Log Out**.
|
||||
要注销,请单击右上角的用户名,然后选择**登出**。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
For detailed information about the four accounts you need to create, refer to the table below.
|
||||
有关您需要创建的四个帐户的详细信息,请参阅下表。
|
||||
|
||||
| Account | Role | Description |
|
||||
| 账户名 | 角色 | 描述信息 |
|
||||
| --------------- | ------------------ | ------------------------------------------------------------ |
|
||||
| ws-manager | workspaces-manager | Create and manage all workspaces. |
|
||||
| ws-admin | platform-regular | Manage all resources in a specified workspace (This account is used to invite new members to a workspace in this example). |
|
||||
| project-admin | platform-regular | Create and manage projects and DevOps projects, and invite new members into the projects. |
|
||||
| project-regular | platform-regular | `project-regular` will be invited to a project or DevOps project by `project-admin`. This account will be used to create workloads, pipelines and other resources in a specified project. |
|
||||
| ws-manager | workspaces-manager | 创建和管理所有工作区。 |
|
||||
| ws-admin | platform-regular | 管理指定工作空间中的所有资源(在此示例中,此帐户用于邀请新成员加入工作空间)。 |
|
||||
| project-admin | platform-regular | 创建和管理项目以及 DevOps 项目,并邀请新成员加入项目。 |
|
||||
| project-regular | platform-regular | `project-regular`将被` project-admin`邀请到一个项目或 DevOps 项目。 该帐户将用于在指定项目中创建工作负载,pipelines 和其他资源。 |
|
||||
|
||||
5. Verify the four accounts created.
|
||||
5. 验证创建的四个帐户。
|
||||
|
||||
|
||||
|
||||
### Task 2: Create a Workspace
|
||||
### 任务2:创建工作区
|
||||
|
||||
In this task, you need to create a workspace using the account `ws-manager` created in the previous task. As the basic logic unit for the management of projects, DevOps projects and organization members, workspaces underpin multi-tenant system of KubeSphere.
|
||||
在此任务中,您需要使用上一个任务中创建的帐户`ws-manager`创建一个工作空间。 作为项目,DevOps项目和组织成员的基本管理逻辑单元,工作区是 KubeSphere 多租户系统的基础。
|
||||
|
||||
1. Log in KubeSphere as `ws-manager` which has the authorization to manage all workspaces on the platform. Click **Platform** in the top-left corner. In **Workspaces**, you can see there is only one default workspace **system-workspace** listed, where system-related components and services run. You are not allowed to delete this workspace.
|
||||
1. 以`ws-manager`身份登录 KubeSphere ,它具有管理平台上所有工作区的权限。 点击左上角的**平台管理**。 在**工作空间**中,您可以看到仅列出了一个默认工作空间,其中**system-workspace**在其中运行与系统相关的组件和服务。 您不允许删除该工作空间。
|
||||
|
||||
|
||||
|
||||
2. Click **Create** on the right, name the new workspace `demo-workspace` and set the user `ws-admin` as the workspace manager shown in the screenshot below:
|
||||
2. 单击右侧的**创建**,将新工作空间命名为`demo-workspace`,并将用户`ws-admin`设置为工作空间管理员,如下图所示:
|
||||
|
||||
|
||||
|
||||
Click **Create** after you finish.
|
||||
完成后,单击**创建**。
|
||||
|
||||
3. Log out of the console and log back in as `ws-admin`. In **Workspace Settings**, select **Workspace Members** and click **Invite Member**.
|
||||
3. 登出控制台,然后以`ws-admin`身份重新登录。 在**企业空间设置**中,选择**企业成员**,然后单击**邀请成员**。
|
||||
|
||||
|
||||
|
||||
4. Invite both `project-admin` and `project-regular` to the workspace. Grant them the role `workspace-self-provisioner` and `workspace-viewer` respectively.
|
||||
4. 邀请`project-admin`和`project-regular`进入工作区。 分别授予他们`self-provisioner`和 `workspace-viewer`角色。
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
The actual role name follows a naming convention: `workspace name-role name`. For example, in this workspace named `demo`, the actual role name of the role `workspace-viewer` is `demo-workspace-viewer`.
|
||||
实际的角色名称遵循命名约定:`workspace name-role name`。 例如,在名为`demo`的工作空间中,角色` workspace-viewer`的实际角色名称是`demo-workspace-viewer`。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
|
||||
|
||||
5. After you add both `project-admin` and `project-regular` to the workspace, click **OK**. In **Workspace Members**, you can see three members listed.
|
||||
5. 将`project-admin`和`project-regular`都添加到工作区后,单击**确定**。 在**企业成员**中,您可以看到列出的三个成员。
|
||||
|
||||
| Account | Role | Description |
|
||||
| 账户名 | 角色 | 描述信息 |
|
||||
| --------------- | -------------------------- | ------------------------------------------------------------ |
|
||||
| ws-admin | workspace-admin | Manage all resources under the workspace (We use this account to invite new members to the workspace). |
|
||||
| project-admin | workspace-self-provisioner | Create and manage projects and DevOps projects, and invite new members to join the projects. |
|
||||
| project-regular | workspace-viewer | `project-regular` will be invited by `project-admin` to join a project or DevOps project. The account can be used to create workloads, pipelines, etc. |
|
||||
| ws-admin | workspace-admin | 管理指定工作空间中的所有资源(在此示例中,此帐户用于邀请新成员加入工作空间)。 |
|
||||
| project-admin | workspace-self-provisioner | 创建和管理项目以及 DevOps 工程,并邀请新成员加入项目。 |
|
||||
| project-regular | workspace-viewer | `project-regular`将被` project-admin`邀请到一个项目或 DevOps 工程。 该帐户将用于在指定项目中创建工作负载,pipelines 和其他资源。 |
|
||||
|
||||
### Task 3: Create a Project
|
||||
### 任务3:创建一个项目
|
||||
|
||||
In this task, you need to create a project using the account `project-admin` created in the previous task. A project in KubeSphere is the same as a namespace in Kubernetes, which provides virtual isolation for resources. For more information, see [Namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
|
||||
在此任务中,您需要使用在上一个任务中创建的帐户`project-admin`来创建项目。 KubeSphere 中的项目与Kubernetes 中的名称空间相同,后者为资源提供了虚拟隔离。 有关更多信息,请参见[命名空间](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)。
|
||||
|
||||
1. Log in KubeSphere as `project-admin`. In **Projects**, click **Create**.
|
||||
1. 以`project-admin`身份登录 KubeSphere 。 在**项目管理**中,单击**创建**。
|
||||
|
||||
|
||||
|
||||
2. Enter the project name (e.g. `demo-project`) and click **OK** to finish. You can also add an alias and description for the project.
|
||||
2. 输入项目名称(例如`demo-project`),然后点击**确定**以完成。 您还可以为项目添加别名和描述。
|
||||
|
||||
|
||||
|
||||
3. In **Projects**, click the project created just now to view its detailed information.
|
||||
3. 在**项目管理**中,单击刚刚创建的项目以查看其详细信息。
|
||||
|
||||
|
||||
|
||||
4. In the overview page of the project, the project quota remains unset by default. You can click **Set** and specify resource requests and limits based on your needs (e.g. 1 core for CPU and 1000Gi for memory).
|
||||
4. 在项目的概述页面中,默认情况下未设置项目配额。 您可以单击**设置**并根据需要指定资源请求和限制(例如:1个CPU内核和1000Gi内存)。
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
5. Invite `project-regular` to this project and grant this user the role `operator`. Please refer to the image below for specific steps.
|
||||
5. 邀请`project-regular`参与该项目,并授予该用户`operator`角色。 请参考下图以了解具体步骤。
|
||||
|
||||
|
||||
|
||||
{{< notice info >}}
|
||||
|
||||
The user granted the role `operator` will be a project maintainer who can manage resources other than users and roles in the project.
|
||||
被授予角色 `operator`的用户将是项目维护者,他可以管理项目中用户和角色以外的资源。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
#### Set Gateway
|
||||
#### 设置网关
|
||||
|
||||
Before creating a route, you need to enable a gateway for this project. The gateway is an [NGINX Ingress controller](https://github.com/kubernetes/ingress-nginx) running in the project.
|
||||
在创建路由之前,您需要为该项目启用网关。 网关是在项目中运行的 [NGINX Ingress 控制器](https://github.com/kubernetes/ingress-nginx)。
|
||||
|
||||
{{< notice info >}}
|
||||
|
||||
A route refers to Ingress in Kubernetes, which is an API object that manages external access to the services in a cluster, typically HTTP.
|
||||
路由是指 Kubernetes 中的 Ingress ,这是一个 API 对象,用于管理对集群中服务(通常是 HTTP )的外部访问。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
6. To set a gateway, go to **Advanced Settings** in **Project Settings** and click **Set Gateway**. The account `project-admin` is still used in this step.
|
||||
6. 要设置网关,请转到**项目设置**中的**高级设置**,然后单击**设置网关**。 此步骤中仍使用帐户`project-admin`。
|
||||
|
||||
|
||||
|
||||
7. Choose the access method **NodePort** and click **Save**.
|
||||
7. 选择访问方式 **NodePort** ,然后单击**保存**。
|
||||
|
||||
|
||||
|
||||
8. Under **Internet Access**, it can be seen that the Gateway Address and the NodePort of http and https all display in the page.
|
||||
8. 在**外网访问**下,可以在页面上看到网关地址和 http/https 的端口。
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
If you want to expose services using the type `LoadBalancer`, you need to use the [LoadBalancer plugin of cloud providers](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/). If your Kubernetes cluster is running in a bare metal environment, it is recommended you use [Porter](https://github.com/kubesphere/porter) as the LoadBalancer plugin.
|
||||
如果要使用`LoadBalancer`暴露服务,则需要使用[云提供商的 LoadBalancer 插件](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/)。 如果您的 Kubernetes 集群在裸机环境中运行,建议您使用 [Porter](https://github.com/kubesphere/porter) 作为 LoadBalancer 插件。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
|
||||
|
||||
### Task 4: Create a Role
|
||||
### 任务4:创建角色
|
||||
|
||||
After you finish the above tasks, you know that users can be granted different roles at different levels. The roles used in previous tasks are all built-in ones created by KubeSphere itself. In this task, you will learn how to define a role yourself to meet the needs in your work.
|
||||
完成上述任务后,您将知道可以为不同级别的用户授予不同角色。 先前任务中使用的角色都是 KubeSphere 本身创建的内置角色。 在此任务中,您将学习如何自己定义角色以满足工作需求。
|
||||
|
||||
1. Log in the console as `admin` again and go to **Access Control**.
|
||||
2. In **Account Roles**, there are four system roles listed which cannot be deleted or edited. Click **Create** and set a **Role Identifier**. In this example, a role named `roles-manager` will be created.
|
||||
1. 再次以`admin`身份登录控制台,然后转到**访问控制**。
|
||||
2. 在**帐户角色**中,列出了四个无法删除或编辑的系统角色。 点击**创建**并设置**角色标识符**。 在这个例子中,将创建一个名为`roles-manager`的角色。
|
||||
|
||||
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
It is recommended you enter a description for the role as it explains what the role is used for. The role created here will be responsible for role management only, including adding and deleting roles.
|
||||
建议您输入角色说明,以说明角色的用途。 此处创建的角色将仅负责角色管理,包括添加和删除角色。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
Click **Edit Authorization** to continue.
|
||||
点击**编辑权限**以继续。
|
||||
|
||||
3. In **Access Control**, select the authorization that you want the user granted this role to have. For example, **Users View**, **Roles Management** and **Roles View** are selected for this role. Click **OK** to finish.
|
||||
3. 在**访问控制**中,选择您希望授予该角色的用户所拥有的授权。 例如,为此角色选择了**用户查看**,**角色管理**和**角色查看**。 单击**确定**完成。
|
||||
|
||||
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
**Depend on** means the major authorization (the one listed after **Depend on**) needs to be selected first so that the affiliated authorization can be assigned.
|
||||
**依赖于**意味着需要首先选择主要授权(在**依赖于**之后列出的授权),以便可以分配附属授权。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
4. Newly-created roles will be listed in **Account Roles**. You can click the three dots on the right to edit it.
|
||||
4. 新创建的角色将列在**帐户角色**中。 您可以单击右侧的三个点对其进行编辑。
|
||||
|
||||
|
||||
|
||||
5. In **Accounts**, you can add a new account and grant it the role `roles-manager` or change the role of an existing account to `roles-manager` by editing it.
|
||||
5. 在**账户管理**中,您可以添加一个新帐户并将其授予角色角色`roles-manager`,也可以通过编辑将现有帐户的角色更改为`roles-manager`。
|
||||
|
||||
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
The role of `roles-manager` overlaps with `users-manager` while the latter is also capable of user management. This example is only for demonstration purpose. You can create customized roles based on your needs.
|
||||
`roles-manager`的角色与`users-manager`重叠,而后者也可以进行用户管理。 本示例仅用于演示目的。 您可以根据需要创建自定义角色。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
### Task 5: Create a DevOps Project (Optional)
|
||||
### 任务5:创建一个 DevOps 工程(可选)
|
||||
|
||||
{{< notice note >}}
|
||||
|
||||
To create a DevOps project, you need to install KubeSphere DevOps system in advance, which is a pluggable component providing CI/CD pipelines, Binary-to-image, Source-to-image features, and more. For more information about how to enable DevOps, see [KubeSphere DevOps System](../../pluggable-components/devops/).
|
||||
要创建 DevOps 工程,您需要预先安装KubeSphere DevOps系统,该系统是可插入的组件,提供 CI/CD pipelines,二进制到镜像,源码到镜像功能等。 有关如何启用DevOps的更多信息,请参见 [KubeSphere DevOps System](../../pluggable-components/devops/)。
|
||||
|
||||
{{</ notice >}}
|
||||
|
||||
1. Log in the console as `project-admin` for this task. In **DevOps Projects**, click **Create**.
|
||||
1. 以`project-admin`身份登录控制台以完成此任务。 在 **DevOps 工程**中,单击**创建**。
|
||||
|
||||
|
||||
|
||||
2. Enter the DevOps project name (e.g. `demo-devops`) and click **OK**. You can also add an alias and description for the project.
|
||||
2. 输入 DevOps 工程名称(例如`demo-devops`),然后点击**确定**。 您还可以为项目添加别名和描述。
|
||||
|
||||
|
||||
|
||||
3. In **DevOps Projects**, click the project created just now to view its detailed information.
|
||||
3. 在 **DevOps 工程**中,单击刚创建的工程以查看其详细信息。
|
||||
|
||||
|
||||
|
||||
4. Go to **Project Management** and select **Project Members**. Click **Invite Member** to grant `project-regular` the role of `operator`, who is allowed to create pipelines and credentials.
|
||||
4. 转到**工程管理**,然后选择**工程成员**。 单击**邀请成员**以授予`project-regular` `operator`的角色,该操作员可以创建 pipelines 和凭证。
|
||||
|
||||
|
||||
|
||||
Congratulations! You are now familiar with the multi-tenant management system of KubeSphere. In the next several tutorials, the account `project-regular` will also be used to demonstrate how to create applications and resources in a project or DevOps project.
|
||||
|
||||
|
||||
恭喜你!您现在已经熟悉 KubeSphere 的多租户管理系统。 在接下来的几篇教程中,`project-regular`帐户还将用于演示如何在项目或 DevOps 工程中创建应用程序和资源。
|
||||
Loading…
Reference in New Issue