1

my kubernetes dashboard is running successfully and its showing all the namespaces which are available in kubernetes cluster.

Example:- Available Namespaces:- A, B , C , D , E

Now I want to remove/restrict one namespace(say D) from the kubernetes dashboard. How it will be possible.

Used helm to deploy kubernetes dashboard, Below is the link of repo.

https://github.com/kubernetes/dashboard/tree/master/aio/deploy/helm-chart/kubernetes-dashboard


dashboard version:- v2.0.0-rc7 
kubernetes version :- 1.17

OR

Is it possible to mask some environment variable(showing in dashboard) which is having sensitive data , then I will keep my namespace as it is.

Gaurav Agnihotri
  • 163
  • 1
  • 2
  • 7
  • Check if this helps you https://stackoverflow.com/questions/45915402/restricted-kubernetes-dashboard – lkamal Oct 28 '20 at 11:04
  • this wont work for me, my dashboard is already readonly, I just want to remove a namespace from dashboard or can we mask some environment variable which is having sensitive data , then i will keep my namespace as it is. – Gaurav Agnihotri Oct 28 '20 at 11:28

2 Answers2

0

FWIW, I don't think this is going to be possible with the base Kubernetes dashboard setup. The reason is that Kubernetes RBAC doesn't allow for the concept of having GET access to some but not all resources of a given type (AFAIK).

So when it lists the available namespaces, it'll need to have GET on the namespace resource, but there's no concept of GET "all the namespaces apart from this one"

With correct RBAC, you might be able to stop it seeing anything past the namespace name but I'd guess that's not going to be part of the default manifests.

One option you might be able to look at, is deploying a separate instance of kubernetes dashboard in each namespace and giving users rights to those separate instances. There's some examples of that here.

Another thing, if you're looking for visualisation of cluster resources, could be to look at something like octant which operates client-side using the users kubeconfig file.

Rory McCune
  • 1,371
  • 10
  • 17
0

This is not possible.

There is no such flag or evironment variable that I know of nor could find in documentation.

The only possible way to restrict access would be by specific RBAC rules, but you need to remember that these are additive only. You cannot remove access to resources, you can only add rules. You would need to create a user that has a Role in every namespace except for namespace 'D' and then accessing the dashboard as this user you would be disallowed access to the namespace D since you did not allowed it in the first place.

That is all you can do.

Matt
  • 7,419
  • 1
  • 11
  • 22