CODEWITHSUNDEEP
kubernetesauthorizationkubectlrbacazure-aks
krishna m
krishna m

Reputation: 247

Kubernetes RBAC to restrict user to see only required resources on kubernetes dashboard

Hi Everyone, I want to restrict my developers to be able to see only required resources on kubernetes dashboard(For example only their namespace not all the namespaces). Is possible to do that . If yes can someone point me to the right documents ? Many Thanks

I am using the below RBAC for the kube-system namespace. However the user is able to see all the namespaces on the dashboard rather than seeing only the namespaces he has access to.

kind: Role     
apiVersion: rbac.authorization.k8s.io/v1       
metadata:     
  namespace: kube-system      
  name: dashboard-reader-role     
rules:      
- apiGroups: [""]     
  resources: ["service/proxy"]     
  verbs: ["get"]       

---       
apiVersion: rbac.authorization.k8s.io/v1      
kind: RoleBinding     
metadata:     
 name: dashboard-reader-ad-group-rolebinding      
 namespace: kube-system     
roleRef:     
 apiGroup: rbac.authorization.k8s.io       
 kind: Role   
 name: dashboard-reader-role   
subjects:      
- apiGroup: rbac.authorization.k8s.io  
  kind: Group  
  name: "****************"

Upvotes: 1

Views: 1877

Answers (1)

Ijaz Ahmad
Ijaz Ahmad

Reputation: 12110

please see the k8s rbac documentation:

example: create a developer role in development namespace:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: development
  name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["list", "get", "watch"]
# You can use ["*"] for all verbs

then bind it:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-role-binding
  namespace: development
subjects:
- kind: User
  name: DevDan
  apiGroup: ""
roleRef:
  kind: Role
  name: developer
  apiGroup: ""

also , there is a built in view only role that u can bind to user:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

C02W84XMHTD5:~ iahmad$ kubectl get clusterroles --all-namespaces  | grep view
system:aggregate-to-view                                               17d
view                                                                   17d

but this is clusterwide view role , if you want them to see only the stuff in a specific namespace only then create a view role in that namespace and bind it , exmaple above.

Upvotes: 1

Related Questions