Error while accessing Web UI Dashboard using RBAC

Question

I created a cluster role "try-usr"

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: try-usr
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

While accessing the Web UI(Dashboard), it's throwing an error as follows:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"xyz\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

Answer 1

Depending on the kubernetes version, the dashboard will require different permissions according to the docs

v1.7

• create and watch permissions for secrets in kube-system namespace required to - create and watch for changes of kubernetes-dashboard-key-holder secret.
• get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
• proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.

v1.8

• create permission for secrets in kube-system namespace required to create kubernetes-dashboard-key-holder secret.
• get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
• get and update permissions for config map named kubernetes-dashboard-settings in kube-system namespace.
• proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.