Hi Everyone, I want to restrict my developers to be able to see only required resources on kubernetes dashboard(For example only their namespace not all the namespaces). Is possible to do that . If yes can someone point me to the right documents ? Many Thanks
I am using the below RBAC for the kube-system namespace. However the user is able to see all the namespaces on the dashboard rather than seeing only the namespaces he has access to.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: dashboard-reader-role
rules:
- apiGroups: [""]
resources: ["service/proxy"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dashboard-reader-ad-group-rolebinding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dashboard-reader-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "****************" please see the k8s rbac documentation:
example: create a developer role in development namespace:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["list", "get", "watch"]
# You can use ["*"] for all verbsthen bind it:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: developer-role-binding
namespace: development
subjects:
- kind: User
name: DevDan
apiGroup: ""
roleRef:
kind: Role
name: developer
apiGroup: ""also , there is a built in view only role that u can bind to user:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
C02W84XMHTD5:~ iahmad$ kubectl get clusterroles --all-namespaces | grep view
system:aggregate-to-view 17d
view 17dbut this is clusterwide view role , if you want them to see only the stuff in a specific namespace only then create a view role in that namespace and bind it , exmaple above.