Error while accessing Web UI Dashboard using RBAC

2
votes

I created a cluster role "try-usr"

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: try-usr
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

While accessing the Web UI(Dashboard), it's throwing an error as follows:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"xyz\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}
1
kubernetesrbac
Did you create a clusterrolebinding to bind your cluster role to the xyz user?whites11
Yes I created. " kubectl create clusterrolebinding xyz --clusterrole="try-usr" --user=xyz ". Sorry I haven't mentioned this.manoj kumar
Please, update the question with the output of kubectl describe clusterrolebinding xyzJose Armesto

1 Answers

0
votes

Depending on the kubernetes version, the dashboard will require different permissions according to the docs

v1.7

  • create and watch permissions for secrets in kube-system namespace required to - create and watch for changes of kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.

v1.8

  • create permission for secrets in kube-system namespace required to create kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • get and update permissions for config map named kubernetes-dashboard-settings in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.