Restrict Grafana dashboard access for assigned namespace

1
votes

I am newbie to Prometheus/Grafana set up. Recently installed kube-prometheus operator, learning and setting up dashboards and LDAP authentication. I see that we can create Grafana organization/roles and map those to LDAP groups. This will help to give 'Admin', 'Editor', and 'Viewer' access as mentioned in the documentation. Trying to understand how we can restrict access to Grafana dashboard(s) per namespace resources only, or is this approach not recommended? Meaning, each team who have access to respective namespace(s) will get to see what they're allowed, noting from other namespaces or nodes.

Thanks

1
grafanaprometheus-operator

1 Answers

1
votes

It doesn't make sense because even on their "limited" dashboard they have full access to a common data source (Prometheus), and they could simply change queries on grafana and see everything else. And there's no mechanism to apply RBAC on data source individual resources level.

From my experience metrics are always safe to share between teams, sometimes even safe to share outside (status page).

Otherwise, if you still want to have a separation like this I recommend creating separate Prometheus instances for each namespace, and separate grafana instances for each namespace. Prometheus operator allows such separation using the ServiceMonitorSelector. This approach is going to be very resource-consuming. And even after this, you need to make sure that Prometheus and Grafana Service objects are not reachable cross namespaces cause teams can proxy and still browse it - you can use https://kubernetes.io/docs/concepts/services-networking/network-policies/ for this.