How to restrict kubernetes dashboard to a specific dashboard for a user assigned to a specific Role

10/20/2020

I'm trying to restrict the a user on the kubernetes dashboard that connects to kubectl after i created a .crt for him and the respective config.

I successfully restricted what he can do with the following role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: development
 name: dev
rules:
- apiGroups: [""]
  resources: ["pods", "services", "crontabs", "pods/log"]
  verbs: ["create", "get", "update", "list", "delete"]
- apiGroups: ["batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "get", "update", "list", "delete"]

and cluster binding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-susann
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

for him to be able to access the dashboard. The problem is that i only want him to be able to access the namespace development.

I already searched a bit and some solutions seem to involve creating a service account and another problem might be because the permissions to see the dashboard are giving on a cluster role and that can't be namespaced.

Is there a best approach to solve this problem?

-- Nmaster88
kubectl
kubernetes
kubernetes-dashboard
minikube

1 Answer

10/27/2020

This can be done with a proper RBAC configuration.

You need to create a RoleBinding in the specific namespace. For example, the RBAC rules could be created as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: dev

With it, the dev Role would have the pre-defined cluster role edit that would restrict them to the standard operations on most objects, via the dashboard. The dev would not be able to drop-down list the other namespaces.

In order to fully understand the whole process I strongly recommend going through the below guide:

If you need to use this or a similar approach for a larger scale, you can consider using this tool:

And if you seek more knowledge regarding this particular topic I suggest checking out the below sources:

Going through the guide and supplementing any needed knowledge with the linked sources will make it way easier for you to understand and implement this solution in your use case.

-- WytrzymaƂy Wiktor
Source: StackOverflow