0

I have a custom role related to a specific namespace. I want to create a service account that will have access to the Dashboard and only being able to see this namespace assigned to that role.

I have tried the following:

apiVersion: v1
kind: Namespace
metadata:
  name: namespace-green
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: green
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-green
  namespace: namespace-green
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testDashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-green
subjects:
- kind: ServiceAccount
  name: green
  namespace: kubernetes-dashboard

I retrieved the token with the following command:

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep green | awk '{print $1}')

When I login to the Dashboard I see only the default namespace although I have assigned the new namespace to that role.

I am not able to to figure out how to view the resources of the new namespace only and based on the permissions of the role the service account should have limited access.

Thanos
  • 1,618
  • 4
  • 28
  • 49
  • how are you configuring the dashboard to use the new serviceaccount "green" ? – RAMNEEK GUPTA Dec 18 '20 at 15:23
  • @RAMNEEKGUPTA I do not really understand what you mean sorry. Can you explain a bit more? :) – Thanos Dec 18 '20 at 15:24
  • i mean, you have create a new service-account, a new role and have binded them together so that the serviceaccount gets permissions associated to the role. I am asking how are now telling the dashoboard to use the new service account ? – RAMNEEK GUPTA Dec 18 '20 at 15:29
  • I thought that this is happening through the role binding no? I have noticed that I am missing the namespace on the RoleBinding let me add it. I have tried it with the namespace and also fails. – Thanos Dec 18 '20 at 15:39

1 Answers1

1

You dont need to create a new role. You can just create a RoleBinding to the 'edit' clusterrole with the new service account you have created and it will work as you expect it to. Also the access will be limited to just one namespace - kubernetes-dashboard

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testDashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: green
  namespace: kubernetes-dashboard

After that the you can use the same old token to test.

RAMNEEK GUPTA
  • 713
  • 1
  • 6
  • 13
  • Unfortunately it does not work :( I can only still see default namespace although the name space exists. – Thanos Dec 18 '20 at 17:00
  • I just cleared all the old configurations and I can confirm this configuration it works, but it does not work with the way that I want to have it. The user now does not have full access but he can modify any namespace instead of only one as I desire. Any idea on how to restrict to one namespace? – Thanos Dec 22 '20 at 10:25
  • Hi @Thanos, yes you are right. The edit clusterRole will give edit persmissions to only your namespace and read permissions on the full custer. To restrict to just one namespace, create a role that you created originally and update the rolebinding to refer at that new role instead of the clusterrole edit. – RAMNEEK GUPTA Dec 22 '20 at 15:19