问题
Is it possible to have a restricted Kubernetes dashboard? The idea is to have a pod running kubectl proxy
in the cluster (protected with basic HTTP authentication) to get a quick overview of the status:
- Log output of the pods
- Running services and pods
- Current CPU/memory usage
However, I do not want users to be able to do "privileged" actions, like creating new pods, deleting pods or accessing secrets.
Is there some option to start the dashboard with a specified user or with restricted permissions?
回答1:
It should be possible in kubernetes with RBAC enabled.
You do not need to run a pod with kubectl proxy
.
I'm not sure whether it is possible to have 2 different sets of permissions for the same pod, but worst case you have to run 2 dashboards.
Basically, what you need to do is:
- deploy dashboard in your cluster with read-only permissions in RBAC
- expose your running dashboard service
- add ingress with basic HTTP auth
回答2:
Based on the answer from lwolf, I used the kubernetes-dashboard.yaml and changed it to run on the slaves, in the default namespace.
The important change is the kind: ClusterRole, name: view
part, which assigns the view role to the dashboard user.
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: ro-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ro-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: ro-dashboard
apiGroup: ''
namespace: default
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: ro-dashboard
spec:
replicas: 1
revisionHistoryLimit: 0
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.3
ports:
- containerPort: 9090
protocol: TCP
livenessProbe:
httpGet:
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
serviceAccountName: ro-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: ro-dashboard
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
来源:https://stackoverflow.com/questions/45915402/restricted-kubernetes-dashboard