0

I deployed HA K8s Cluster with 3 masters & 2 worker Nodes. I access my K8s Dashboard through kubectl client(local), kubectl proxy. My K8s Dashboard is accessed through tokens by some RBAC users, where they have limited access on namespaces & Cluster admin users. I want to give anonymous access to all my users for viewing the deployment logs i.e., to Kibana Dashboard(Add-on). Can anyone help me regarding this?

Below, I specified the required artifacts that are running on my cluster with their versions:

  • K8s version: 1.8.0

  • kibana: 5.6.4

  • elasticsearch-logging : 5.6.4

francescalus
  • 30,576
  • 16
  • 61
  • 96
manoj kumar
  • 93
  • 1
  • 1
  • 9

1 Answers1

0

You can try creating a ClusterRoleBinding for some specific users. In my case, I am using LDAP authentication for accessing the Kubernetes API. I have assigned admin privileges to some users and readonly access to some specific users. Refer to the ClusterRoleBinding yaml below: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: oidc-readonly-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:aggregate-to-view subjects: - kind: User name: https://dex.domain.com/dex#user1@domain.com

I am using dex tool for the LDAP authentication. You can try giving the RBAC username directly.

priyanka sharma
  • 125
  • 3
  • What does this ClusterRole do? Will it give read only access to both K8s Dashboard & Kibana dashboard(deployment logs) – manoj kumar Aug 13 '18 at 07:19
  • ClusterRole contains rules that represent a set of permissions. Here, I have provided an already existing role. You can check the permissions using command: "kubectl get clusterrole/system:aggregate-to-view -o yaml". This Role will provide readonly access to the full cluster. You can restrict the access to specific resources by creating a new ClusterRole according to your requirements. Refer to the link here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ – priyanka sharma Aug 13 '18 at 07:59
  • I'm aware of RBAC.My cluster users are categorized in to admin access in namespace, view access in namespace , over all cluster view access and overall cluster admin access.So, for the users who are privileged with Cluster admin access they are strong enough to see/edit/delete the K8s Dashboard & Kibana Dashboard. But the other user categories can use their privilege only in K8s Dashboard not in Kibana Dashboard. So, I want give anonymous access to all users irrespective of their privileges to Kibana Dashboard in order to view their logs of their respective pod deployments for easy debugging. – manoj kumar Aug 13 '18 at 09:49
  • Overall, What I want is an anonymous clusterrole to view Kibana Dashboard which does not disturb the K8s Dashboard user privileges. If I apply above code to all users then I'll get read-only access to both K8s and Kibana Dashboards. – manoj kumar Aug 13 '18 at 09:50