I'm trying to restrict the a user on the kubernetes dashboard that connects to kubectl after i created a .crt for him and the respective config.
I successfully restricted what he can do with the following role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: dev
rules:
- apiGroups: [""]
resources: ["pods", "services", "crontabs", "pods/log"]
verbs: ["create", "get", "update", "list", "delete"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "get", "update", "list", "delete"]
and cluster binding
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-susann
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
for him to be able to access the dashboard.
The problem is that i only want him to be able to access the namespace development
.
I already searched a bit and some solutions seem to involve creating a service account and another problem might be because the permissions to see the dashboard are giving on a cluster role and that can't be namespaced.
Is there a best approach to solve this problem?
This can be done with a proper RBAC configuration.
You need to create a RoleBinding
in the specific namespace
. For example, the RBAC rules could be created as follows:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev
namespace: development
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dev
With it, the dev
Role
would have the pre-defined cluster role edit
that would restrict them to the standard operations on most objects, via the dashboard. The dev
would not be able to drop-down list the other namespaces.
In order to fully understand the whole process I strongly recommend going through the below guide:
If you need to use this or a similar approach for a larger scale, you can consider using this tool:
And if you seek more knowledge regarding this particular topic I suggest checking out the below sources:
Going through the guide and supplementing any needed knowledge with the linked sources will make it way easier for you to understand and implement this solution in your use case.