Hoping for some pointers, I have a question: what role/permissions do I need to add to a user that has Clusterrole:view in order to let that user use 'top node' and 'top pod' command in kubectl? We're using kubectl version 1.15.x (client) on a 1.15.7 cluster (AKS), although I'm not sure if that's relevant information. I tried to find this in the k8s documentation, but could not find the permission-reference descrption, only some examples and guidelines.
Thanks in advance!
Regards, Ludo
There is no specific permission for top node and top pod. The permission is on whether you can do get nodes and get pods. If permission is there to do get nodes and get pods then you should be able to top nodes and top pods as well. Permission to perform get nodes or get pods is defined via RBAC in kubernetes.
The metric server just exposes metrics of different resources such as pods, nodes by collecting and aggregating it from different sources such as kubelet. That's the reason there is no permission for the metrics itself rather the permission is on the resources of which you want to see the metrics.
The API that is being invoked when you do kubectl top pods is this
GET https://API-SERVER-IP:6443/apis/metrics.k8s.io/v1beta1/namespaces/default/podsSo you can only see metrics for pods in the default namespace when you are targeted to default namespace. Now whether you can get pods in default namespace is governed by RBAC.