K
Q

RBAC For kubernetes Dashboard

11/3/2018

I have a User "A". I have namespaces X,Y,Z. I have created a RBAC user role and role binding for user "A" who has access to Namespace "X".

I wanted to give the user "A" access to kubernetes dashboard (which is a role and role binding for Kube-System). But when I give the access for dashboard, user "A" is able to see all the namespaces.

But I want him to see only namespace X which he has access).

How could I go about this?

-- krishna m
azure-aks
google-kubernetes-engine
kubectl
kubernetes

Similar Questions

Remote access to HDFS on Kubernetes
Do logs get saved on Google Kubernetes
Hyperledger fabric Kubernetes chaincode instantiation fails
Kubernetes NodePort - Ufw/Iptables ignored?
Operator-SDK and NewController function
Postgres Running in Kubernetes - Limit Network Bandwidth
Google Cloud Kubernetes GCE_STOCKOUT
Kubernetes redirect on pod with python
Does a Pod use the k8s API Server to fetch spec declarations?
GKE NEG Readiness Gate Failing with Windows Containers and Readiness Probe
Not able to access file shared with init container
Cert-Manager Certificate creation stuck at Created new CertificateRequest resource
Run Kubernetes/Openshift cronjob with container user id

1 Answer

11/4/2018

What's the version of your Dashboard? As far as I know, from 1.7 on, Dashboard has used more secure setup, It means, that by default it has the minimal set of privileges, that are required to make Dashboard work.

Anyway, you can check the privileges of the sa that used by Dashboard, make sure it has the minimal privileges, like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

Then, create RBAC rules to give the full privileges for namespace X to A:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: user-A-admin
  namespace: X
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: A

Make sure user A doesn't have any other RBAC rules.

-- Kun Li
Source: StackOverflow