Read only kubernetes user

11/28/2018

I'm trying to create a read only user. I want the user to be able to list nodes and pods and view the dashboard. I got the certs created and can connect but I'm getting the following error.

$ kubectl --context minikube-ro get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "erst-operation" cannot list pods at the cluster scope

My cluster role...

$ cat helm/namespace-core/templates/pod-reader-cluster-role.yaml 
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: '*'
  name: pod-reader
rules:
- apiGroups: ["extensions", "apps"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

My cluster role binding...

$ cat helm/namespace-core/templates/pod-reader-role-binding.yaml 
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: erst-operation
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

I'm aware the above shouldn't grant permissions to see the dashboard but how do I get it to just list the pods?

-- user672009
kubernetes

1 Answer

11/28/2018

You cluster role should contain Core group as resource pods are in Core group.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: '*'
  name: pod-reader
rules:
- apiGroups: ["extensions", "apps", ""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
-- nightfury1204
Source: StackOverflow