Skip to content

Instantly share code, notes, and snippets.

@karthik101
Last active June 12, 2023 16:32
Show Gist options
  • Save karthik101/201374aee2ebea25ddf6c723858568be to your computer and use it in GitHub Desktop.
Save karthik101/201374aee2ebea25ddf6c723858568be to your computer and use it in GitHub Desktop.
Read only user for Kubernetes Dashboard

The view ClusterRole doesn’t actually have permissions for the Cluster level objects like Nodes and Persistent Volume Claims. So we’ll have to create a new RBAC config.

First, we’ll create a new dashboard-viewonly ClusterRole:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dashboard-viewonly
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - volumeattachments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - clusterroles
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dashboard-viewonly
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system

Now we’ve configured a readonly dashboard we can safely share with people that dont even have K8S cluster access. This RBAC config does NOT grant access to Secrets, just to be a little safe.

In the Web Browser Login view when prompted to give Token or kubeconfig then just press SKIP to view readonly dashboard.

@dsculptor
Copy link

Can confirm that I am able to access secrets freely!

@karthik101
Copy link
Author

I tested it recently on k8s- v1.18.3 and Dashboard- v2.0.1, Dashboard has read only access.

Do not copy and apply blindly. Check its api, rules, serviceAccount it uses and namespace where your dashboard pod runs. Edit accordingly with your requirerments in clusterrole

@pakuma1
Copy link

pakuma1 commented Feb 14, 2022

I am not able to see ingresses in the dashboard.

@NaveLevi
Copy link

@pakuma1

I am not able to see ingresses in the dashboard.

The ingresses are no longer under the extensions api group. This works:

- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch

@ngk512
Copy link

ngk512 commented Jun 29, 2022

Hi,
Not getting any option to skip login. How to generate the token for dashboard view only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment