I want to allow non-admin users to use the Kubernetes Dashboard to view the K8 objects in their namespaces. As cluster-admin, I have no issues connecting the the Kubernetes Dashboard using kubectl proxy. When I first attempted to access it with an application service account with read-only access to their entire namespace, I received the error below:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:serviceaccount:ops-jenkins-lab:k8-dashboard-ops-jenkins-lab\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kubernetes-dashboard\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

I added additional RBAC roles to allow the application service account access to services and services/proxy in the kubernetes-dashboard namespace. Now I get the following error:

Forbidden (403): Http failure response for http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/api/v1/login: 403 Forbidden

If I create an ingress for the dashboard I can connect without out issue to the Kubernetes Dashboard using the same application service account and have access to view all the kubernetes objects within the namespace (once I switch from default to the correct namespace). I'd actually prefer to use the ingress but for some reason once I connect to the Kubernetes Dashboard via a browser it hijacks the ingress for all my other applications. No matter which ingress I try to connect to it automatically redirects me to the Kubernetes Dashboard. I have to clear all browser data to connect to other applications.

RBAC clusterrole and rolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: k8-dashboard
rules:
- apiGroups:
  - extensions
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - '*'
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - '*'
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - '*'
  resources:
  - events
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - '*'
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - patch
- apiGroups:
  - apps
  resources:
  - deployments/scale
  verbs:
  - update
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/log
  - pods/status
  - pods/delete
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - delete
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - delete
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  labels:
    subjectName: k8-dashboard-sa
  name: k8-dashboard-ops-jenkins-lab
  namespace: ops-jenkins-lab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k8-dashboard
subjects:
- kind: ServiceAccount
  name: k8-dashboard-ops-jenkins-lab
  namespace: ops-jenkins-lab

So this leaves me with needing to connect to the Kubernetes Dashboard using kubectl proxy. I'm certain there's additional RBAC required when using kubectl proxy as a non-admin user; however, I have yet to figure it out. Any suggests?