I want to allow non-admin users to use the Kubernetes Dashboard to view the K8 objects in their namespaces. As cluster-admin, I have no issues connecting the the Kubernetes Dashboard using kubectl proxy. When I first attempted to access it with an application service account with read-only access to their entire namespace, I received the error below:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:serviceaccount:ops-jenkins-lab:k8-dashboard-ops-jenkins-lab\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kubernetes-dashboard\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
I added additional RBAC roles to allow the application service account access to services and services/proxy in the kubernetes-dashboard namespace. Now I get the following error:
Forbidden (403): Http failure response for http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/api/v1/login: 403 Forbidden
If I create an ingress for the dashboard I can connect without out issue to the Kubernetes Dashboard using the same application service account and have access to view all the kubernetes objects within the namespace (once I switch from default to the correct namespace). I'd actually prefer to use the ingress but for some reason once I connect to the Kubernetes Dashboard via a browser it hijacks the ingress for all my other applications. No matter which ingress I try to connect to it automatically redirects me to the Kubernetes Dashboard. I have to clear all browser data to connect to other applications.
RBAC clusterrole and rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
name: k8-dashboard
rules:
- apiGroups:
- extensions
- apps
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- '*'
verbs:
- patch
- apiGroups:
- apps
resources:
- deployments/scale
verbs:
- update
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/log
- pods/status
- pods/delete
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- delete
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
labels:
subjectName: k8-dashboard-sa
name: k8-dashboard-ops-jenkins-lab
namespace: ops-jenkins-lab
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8-dashboard
subjects:
- kind: ServiceAccount
name: k8-dashboard-ops-jenkins-lab
namespace: ops-jenkins-lab
So this leaves me with needing to connect to the Kubernetes Dashboard using kubectl proxy. I'm certain there's additional RBAC required when using kubectl proxy as a non-admin user; however, I have yet to figure it out. Any suggests?
