K
Q

Error while accessing Web UI Dashboard using RBAC

1/8/2018

I created a cluster role "try-usr"

kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: try-usr rules:

  • apiGroups:
    • '*' resources:
    • '*' verbs:
    • get
    • list
    • watch

While accessing the Web UI(Dashboard), it's throwing an error as follows:

{ "kind": "Status", "apiVersion": "v1", "metadata": {

}, "status": "Failure", "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"xyz\" cannot get services/proxy in the namespace \"kube-system\"", "reason": "Forbidden", "details": { "name": "https:kubernetes-dashboard:", "kind": "services" }, "code": 403 }

-- manoj kumar
kubernetes
rbac

Similar Questions

Master Node on AKS cluster
kubectl auth can-i create deployments --namespace default --as root Always returns no
Custom login in front of kubernetes dashboard
Node.js scaling out on Kubernetes

1 Answer

1/8/2018

Depending on the kubernetes version, the dashboard will require different permissions according to the docs

v1.7

  • create and watch permissions for secrets in kube-system namespace required to - create and watch for changes of kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.

v1.8

  • create permission for secrets in kube-system namespace required to create kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • get and update permissions for config map named kubernetes-dashboard-settings in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.
-- Jose Armesto
Source: StackOverflow