Skip to content

Instantly share code, notes, and snippets.

@karthik101
Last active June 12, 2023 16:32
Show Gist options
  • Save karthik101/201374aee2ebea25ddf6c723858568be to your computer and use it in GitHub Desktop.
Save karthik101/201374aee2ebea25ddf6c723858568be to your computer and use it in GitHub Desktop.
Read only user for Kubernetes Dashboard

The view ClusterRole doesn’t actually have permissions for the Cluster level objects like Nodes and Persistent Volume Claims. So we’ll have to create a new RBAC config.

First, we’ll create a new dashboard-viewonly ClusterRole:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dashboard-viewonly
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - volumeattachments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - clusterroles
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dashboard-viewonly
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system

Now we’ve configured a readonly dashboard we can safely share with people that dont even have K8S cluster access. This RBAC config does NOT grant access to Secrets, just to be a little safe.

In the Web Browser Login view when prompted to give Token or kubeconfig then just press SKIP to view readonly dashboard.

@shashank-k
Copy link

I am getting the following error while creating the Service Account
error: error validating "service_acct.yaml": error validating data: [ValidationError(ClusterRoleBinding): unknown field "labels" in io.k8s.api.rbac.v1beta1.ClusterRoleBinding, ValidationError(ClusterRoleBinding): unknown field "name" in io.k8s.api.rbac.v1beta1.ClusterRoleBinding, ValidationError(ClusterRoleBinding.roleRef): unknown field "subjects" in io.k8s.api.rbac.v1beta1.RoleRef]; if you choose to ignore these errors, turn validation off with --validate=false

@karthik101
Copy link
Author

karthik101 commented May 9, 2020

You might be using new version of k8s after 1.14, check it's apiversion documentation and change them accordingly.

You can also choose to use the --validate=false at the end of kubectl apply to skip validation.

@patrickgardella
Copy link

What version of the dashboard are you using, @karthik101?

I've tried to accomplish a read-only view several times, using yours and other ClusterRoles and ClusterRoleBindings, but they will always still let me create and delete resources (I test with creating and then destroying a namespace). I'm using Dashboard 2.0.1.

@Sjnahak
Copy link

Sjnahak commented Jun 17, 2020

I am also Having the same issue , Readonly user is still able to edit,delete, create. I'm using Dashboard 2.0.1.

@patrickgardella
Copy link

@Sjnahak I'm curious what platform you are testing this on. Yesterday I found that the read-only user had full CRUD capabilities while running on Docker for Desktop (Mac), but when I deployed it to our AWS EKS cluster, it worked fine. So I'm wondering if there is something else going on here in the platform itself.

@Sjnahak
Copy link

Sjnahak commented Jun 17, 2020

It is working , I miss interpreted when I saw edit access but operation get denied.

@frednotet
Copy link

For folks using terraform:

resource "kubernetes_cluster_role" "readonly" {
  metadata {
    name = "dashboard-viewonly"
  }

  rule {
    api_groups = [""]
    resources  = ["configmaps","endpoints","persistentvolumeclaims","pods","replicationcontrollers","replicationcontrollers/scale","serviceaccounts","services","nodes","persistentvolumeclaims","persistentvolumes"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = [""]
    resources  = ["bindings","events","limitranges","namespaces/status","pods/log","pods/status","replicationcontrollers/status","resourcequotas","resourcequotas/status"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["apps"]
    resources  = ["daemonsets","deployments","deployments/scale","replicasets","replicasets/scale","statefulsets"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["autoscaling"]
    resources  = ["horizontalpodautoscalers"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["batch"]
    resources  = ["cronjobs","jobs"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["extensions"]
    resources  = ["daemonsets","deployments","deployments/scale","ingresses","networkpolicies","replicasets","replicasets/scale","replicationcontrollers/scale"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["policy"]
    resources  = ["poddisruptionbudgets"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["networking.k8s.io"]
    resources  = ["networkpolicies"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["storage.k8s.io"]
    resources  = ["storageclasses", "volumeattachments"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["rbac.authorization.k8s.io"]
    resources  = ["clusterrolebindings", "clusterroles","roles","rolebindings"]
    verbs      = ["get", "list", "watch"]
  }
}

resource "kubernetes_cluster_role_binding" "readonly" {
  metadata {
    name = "kubernetes-dashboard"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "dashboard-viewonly"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "kubernetes-dashboard"
    namespace = "kube-system"
  }
}

@Gupta-Amrit
Copy link

It is working , I miss interpreted when I saw edit access but operation get denied.

I am still able to Delete/edit yaml from kubernetes-dashboard. How do you disabled that ?

@Sjnahak
Copy link

Sjnahak commented Jul 6, 2020

@Gupta-Amrit R u able to submit the request after editing ?
Also what is token you are using to login to kubernetes dashboard ? it should be of viewonly service account.

@Gupta-Amrit
Copy link

@karthik101 @patrickgardella @Sjnahak I'm using Dashboard 2.0.3, and followed the above yaml file but I am still able to delete/edit yaml file and able to use create button(top right corner) with any yaml/json file. The only thing which is not working is the scale option. Could anyone of you tell me, if any other steps are required ?

@Gupta-Amrit
Copy link

@Gupta-Amrit R u able to submit the request after editing ?
Also what is token you are using to login to kubernetes dashboard ? it should be of viewonly service account.

yes, I am able to submit the request and it is updating the deployment. Also I have enable skip login button and not using any token but I also tried with view only service account and it is able to update the deployments

@dsculptor
Copy link

Can confirm that I am able to access secrets freely!

@karthik101
Copy link
Author

I tested it recently on k8s- v1.18.3 and Dashboard- v2.0.1, Dashboard has read only access.

Do not copy and apply blindly. Check its api, rules, serviceAccount it uses and namespace where your dashboard pod runs. Edit accordingly with your requirerments in clusterrole

@pakuma1
Copy link

pakuma1 commented Feb 14, 2022

I am not able to see ingresses in the dashboard.

@NaveLevi
Copy link

@pakuma1

I am not able to see ingresses in the dashboard.

The ingresses are no longer under the extensions api group. This works:

- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch

@ngk512
Copy link

ngk512 commented Jun 29, 2022

Hi,
Not getting any option to skip login. How to generate the token for dashboard view only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment