0

I have access to only one namespace inside the cluster and that too is restricted.

kind: Role

kind: ClusterRole

kind: RoleBinding

kind: ClusterRoleBinding

are forbidden to me. So im not able to create kubernetes dashboard as per the recommended yaml.

How to get around this?

ss301
  • 514
  • 9
  • 22

1 Answers1

1

It's not possible to achieve it unless you ask someone with enough rights to create the objects you can't for you.

Here is a sample manifest used to apply the dashboard to a cluster. As you can see you have to be able to manage Role, ClusterRole, RoleBinding and ClusterRoleBinding to apply it.

So it's impossible to create it with the rights you have as they are essential in this case.

Here is the part affected by lack of your rights: 

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
    ```
Mark Watney
  • 5,268
  • 2
  • 11
  • 33
  • Is it possible for the admin to create these objects for our namespace separately and i can work on the dashboard yaml separately. – ss301 Apr 06 '20 at 13:02
  • By default it's deployed on `namespace: kubernetes-dashboard` you can customize it and deploy it in your namespace so you have full access once it's deployed. – Mark Watney Apr 06 '20 at 13:57
  • thanks, so can i deploy the dashboard without using these restricted objects, like rolebinding if i am pointing it to my namespace?. – ss301 Apr 06 '20 at 14:19
  • No, what I said in my answer is still true no matter what namespace you are using. You still need someone to create the Roles for you as you don't have rights to do it. – Mark Watney Apr 06 '20 at 14:23