Error while accessing Kibana UI using RBAC

10/12/2018

I have a Cluster which is accessed by the users(developers) with the help of these 3 UI's (K8s Dashboard,Kibana & Grafana)

FYI,Kibana & Grafana are addons to the Cluster.

I want every user, other than ADMIN, should have read only access to Kibana Logging UI i.e., to view the Logs. So, I want to create an RBAC role. The role shouldn't change the user permissions in other UI's. It should only reflect in Kibana UI.

The user "xyz" is binded to the below Cluster-roles & roles-

In order to view the K8s Dashboard:-

kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: kube-system name: user-role-dashboard rules:

  • apiGroups: ["*"] resources:
    • services verbs: ["get", "list", "watch"]
  • apiGroups: ["*"] resources:
    • services/proxy verbs: ["get", "list", "watch", "create"]

In order to view the list of namespaces in the K8s Dashboard:-

kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ns-view-clusterrole rules:

  • apiGroups:
    • "*" resources:
    • namespaces verbs:
    • get
    • list
    • watch

The user set to have admin privilege with in the namespace(K8s Dashboard):-

kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: ns name: ns-admin-role rules:

  • apiGroups: ["*"] resources: ["*"] verbs: ["*"]

Can anyone help me,"how to create a role which gives the read only privileges to Kibana Dashboard", regarding this?

Below, is the error which I'm facing as the user "xyz" is not able to view the Kibana UI:

{ "kind": "Status", "apiVersion": "v1", "metadata": {

}, "status": "Failure", "message": "services \"kibana-logging\" is forbidden: User \"xyz\" cannot proxy services in the namespace \"kube-system\"", "reason": "Forbidden", "details": { "name": "kibana-logging", "kind": "services" }, "code": 403 }

Updated

Pods deployed on my Cluster

$ kubectl get pods NAME READY STATUS RESTARTS AGE elasticsearch-logging-0 1/1 Running 6 239d elasticsearch-logging-1 1/1 Running 2 239d fluentd-es-v2.0.2-5jmss 1/1 Running 7 232d fluentd-es-v2.0.2-tcgb6 1/1 Running 5 239d heapster-588bcd669c-qz2f8 1/1 Running 3 239d kibana-logging-5fd7fcf8c-72grf 1/1 Running 3 239d kube-dns-9c5fccf5c-b98px 3/3 Running 9 239d kubernetes-dashboard-7f9755578c-kb9n6 1/1 Running 3 239d monitoring-grafana-794779fc5b-rr2lx 1/1 Running 3 239d monitoring-influxdb-67c5b7dbd6-xrplj 1/1 Running 3 239d

Thanks

-- manoj kumar
kibana
kubernetes

0 Answers