manoj kumar
manoj kumar

Reputation: 93

Error while accessing Web UI Dashboard using RBAC

I created a cluster role "try-usr"

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: try-usr
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

While accessing the Web UI(Dashboard), it's throwing an error as follows:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"xyz\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

Upvotes: 2

Views: 1172

Answers (1)

Jose Armesto
Jose Armesto

Reputation: 13799

Depending on the kubernetes version, the dashboard will require different permissions according to the docs

v1.7

  • create and watch permissions for secrets in kube-system namespace required to - create and watch for changes of kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.

v1.8

  • create permission for secrets in kube-system namespace required to create kubernetes-dashboard-key-holder secret.
  • get, update and delete permissions for secrets named kubernetes-dashboard-key-holder and kubernetes-dashboard-certs in kube-system namespace.
  • get and update permissions for config map named kubernetes-dashboard-settings in kube-system namespace.
  • proxy permission to heapster service in kube-system namespace required to allow getting metrics from heapster.

Upvotes: 0

Related Questions