user permissions needed for token access to kubernetes dashboard with RBAC

Question

On kubernetes 1.8.4 I'm trying to give kubernetes users access to our dashboard.

When using the admin context to proxy, all the tokens work when logging into the dashboard. But my users don't have the admin context, only I do, so they use their own context to proxy. And in those situations, they get an error.

Steps:

Create a service account for a user, put token in ~/.kube/config
Give permissions to namespace A to that service account through rolebinding
Switch to that user's context
Do deployments, get pod overview, etc, verify it works. all fine so far
Start kubectl proxy, still in that user's context
Open browser, go to http://localhost:8001/ui

See this in the browser:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "
      forbidden: User \"system:serviceaccount:default:<username>\"
          cannot get path \"/ui\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

try http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

See this in the browser:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "
      services \"https:kubernetes-dashboard:\" is forbidden:
      User \"system:serviceaccount:default:<username>\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

Clearly a permission problem. I'm not sure which permission the user needs to have to enable them to access the dashboard though. I'm very hesitant to give them permissions into the kube-system namespace.

When I stop kubectl proxy and then switch to the admin context, start the proxy and retry the same url, I get the dashboard login page.

What do I need to do to get that same result when using the user's context?

/ui is deprecated, see github.com/kubernetes/dashboard#getting-started .. use the full url instead: localhost:8001/api/v1/namespaces/kube-system/services/… — fishi0x01
Are you aware of docs.heptio.com/content/tutorials/rbac.html yes? — Michael Hausenblas
@fishi similar result with the proper url, I've updated the question with that info, thanks. — Max
@MichaelHausenblas yes, I know how to write RBAC policies and apply them, but in this particular case I don't know which policy I would need to set to make this work, besides giving full admin access. I'm confident I'm not the first nor only person wanting to give only the least required privileges to a service account for accessing the dashboard, so someone probably already figured this out. — Max

Max Max · Accepted Answer · 2017-12-13T14:55:39

I couldn't find a different way other than providing some access to kube-system, so I did using the following role and binding:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: user-role-dashboard
rules:
  - apiGroups: [""]
    resources:
      - services
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources:
      - services/proxy
    verbs: ["get", "list", "watch", "create"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: user-binding-dashboard
subjects:
- kind: User
  name: system:serviceaccount:<namespace>:<username>
  apiGroup: ""
roleRef:
  kind: Role
  name: user-role-dashboard
  apiGroup: ""

Would still like to know whether there is a better way though, your thoughts and suggestions are welcome!

user permissions needed for token access to kubernetes dashboard with RBAC

2 Answers