K
Q

kubernetes restricted access to dashboard

8/10/2020

I want to create a service account that has a restricted access only.

Let us say I have namespace called devops

I want to create a service account that only access devops and do something which i set in the below role.

 kubectl create clusterrole devops-dash-role --verb=get,list --resource=pods --namespace=devops

There i only want the service account to be accessible to that namespace only on that resource.

then here is my service account

kubectl create serviceaccount devops-dash-sa -namespace devops

Here how i bind them

kubectl create clusterrolebinding devops-dash-rb --clusterrole=devops-dash-role --serviceaccount=devops:devops-dash-sa

then here is how i get the token.

kubectl describe secret devops-dash-sa-token-spnpm -n devops

then extract the token there.

but once logging into the dashboard it shows nothing.. also it defaulted to default namespace.

enter image description here

Also, I was able to create my own user with my own kubeconfig file which I use (as it has restriction) but upon my research that user needs a token as well so I ended up creating service account instead.

Updated: tried this below commands

kubectl create role devops-admin-role --verb="*" --resource="*" --namespace=devops
kubectl create serviceaccount devops-admin-sa --namespace devops
kubectl create rolebinding devops-admin-role-sa-rb --clusterrole=devops-admin-role --serviceaccount=devops:devops-admin-sa

but when trying to execute this kubectl --as system:serviceaccount:devops:devops-admin-sa get po -n devops

this is giving me an error : Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:devops:devops-admin-sa" cannot list resource "pods" in API group "" in the namespace "devops"

-- Jayson Gonzaga
kubernetes
kubernetes-dashboard

Similar Questions

Allow CORS requests Azure Function hosted in Kubernetes
Kubernetes kube-proxy iptables rules seem to be redundant
kubernetes service can not send request to itself
Enable session affinity for canary release with nginx ingress controller
List all containers in all pods with status

1 Answer

8/11/2020

Role:

kubectl create role devops-dash-role --verb=get,list --resource=pods --namespace=devops

Service account

kubectl create serviceaccount devops-dash-sa --namespace devops

Role binding:

kubectl create rolebinding devops-dash-rb --clusterrole=devops-dash-role --serviceaccount=devops:devops-dash-sa --namespace devops

That is all you need.

You can also use:

--verb="*" --resource="*"

to give access to all resources, and because roles and rolebindings are namespaced these permissions will be granted only within the namespace they exist.

Now lets try it: 

# default namespace
$ kubectl --as system:serviceaccount:devops:devops-dash-sa  get po
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:devops:devops-dash-sa" cannot list resource "pods" in API group "" in the namespace "default"

# devops namespace
$ k --as system:serviceaccount:devops:devops-dash-sa  get po -n devops
No resources found in devops namespace

When you use it in a dashboard it should work the same.

-- Matt
Source: StackOverflow