K
Q

Creating a cluster-wide readonly user in Kubernetes using RBAC for Grafana

9/26/2019

I'm trying to provision a user so that Grafana is able to monitor my cluster's resources. I've followed the Bitnami guide here. And implemented the steps as an Ansible playbook found here.

Here is the ClusterRole that the user uses and here is how it is bound to the user.

However, despite this, Grafana throws this error when I configure it with the generated certificates.

Furthermore, if I attempt to run any command with the user context, it says I'm unauthorized.

gt; kubectl --context=grafana-prometheus-scraper get pods -n grafana
error: You must be logged in to the server (Unauthorized)

Any ideas?

-- TJ Zimmerman
ansible
certificate
grafana
kubernetes
rbac

Similar Questions

What is the best way to mount files generated by one pod on another pod (before it starts) on a different node in GCP?
Controlling the maximum resources utilized by a k8s namespace
Direct Traffic to a Kubernetes Pod Based on Initial Connection
Location of Rancher/kubernetes rotated certificates
Bitnami Odoo Addons over Init Container not work

2 Answers

9/26/2019

There is no user object in kubernetes. create a service account and update the same in clusterrolebinding.

subjects:
    - kind: User
      name: grafana-prometheus-scraper
-- P Ekambaram
Source: StackOverflow
9/26/2019

This is how your ServiceAccount, ClusterRole and ClusterRoleBinding should look like.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: grafana-prometheus-scraper

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: grafana-prometheus-scraper
rules:
  - apiGroups: [""]
    resources:
      - configmaps
      - secrets
      - nodes
      - pods
      - services
      - resourcequotas
      - replicationcontrollers
      - limitranges
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling.k8s.io"]
    resources:
      - verticalpodautoscalers
    verbs: ["list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-prometheus-scraper
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana-prometheus-scraper
subjects:
- kind: ServiceAccount
  name: grafana-prometheus-scraper

You don't have to specify the namespace when you are creating Cluster roles as this applies to the whole cluster. If you want to limit the access to a particular namespace you should use Role and RoleBinding.

There is really good article on Medium regarding Configuring RBAC For Your Kubernetes Service Accounts that I strongly recommend.

-- Crou
Source: StackOverflow