Cluster information:
Kubernetes version: v1.16
Cloud being used: On-prem Virtual Machines
Installation method: kubeadm
Host OS: RHEL 7.7
CNI and version: Calico v3.11.2
CRI and version: Docker CE 18.09.9
I want to allow non-admin users to use the Kubernetes Dashboard to view the K8 objects in their namespaces. As cluster-admin, I have no issues connecting the the Kubernetes Dashboard using kubectl proxy. When I first attempted to access it with an application service account with read-only access to their entire namespace, I received the error below:
{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {
},
“status”: “Failure”,
“message”: “services “https:kubernetes-dashboard:” is forbidden: User “system:serviceaccount:ops-jenkins-lab:k8-dashboard-ops-jenkins-lab” cannot get resource “services/proxy” in API group “” in the namespace “kubernetes-dashboard””,
“reason”: “Forbidden”,
“details”: {
“name”: “https:kubernetes-dashboard:”,
“kind”: “services”
},
“code”: 403
}
I added additional RBAC roles to allow the application service account access to services and services/proxy in the kubernetes-dashboard namespace. Now I get the following error:
Forbidden (403): Http failure response for http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/api/v1/login: 403 Forbidden
If I create an ingress for the dashboard I can connect without out issue to the Kubernetes Dashboard using the same application service account and have access to view all the kubernetes objects within the namespace (once I switch from default to the correct namespace). I’d actually prefer to use the ingress but for some reason once I connect to the Kubernetes Dashboard via a browser it hijacks the ingress for all my other applications. No matter which ingress I try to connect to it automatically redirects me to the Kubernetes Dashboard. I have to clear all browser data to connect to other applications.
So this leaves me with needing to connect to the Kubernetes Dashboard using kubectl proxy. I’m certain there’s additional RBAC required when using kubectl proxy as a non-admin user; however, I have yet to figure it out. Any suggests?