Kubernetes dashboard doesn't accept view-only serviceaccount token
Its possible to create service-account in k8s and restrict it to specific namespace.
Follow these steps:
- I assume k8s-dashboard is installed on your k8s cluster.
- I also assume you have created admin-user to access k8s-dashboard by following these steps.
- Now to restrict developers to specific namespace on k8s, create a service-account with following contents:
---apiVersion: v1kind: ServiceAccountmetadata: name: mynamespace-user namespace: mynamespace---kind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: mynamespace-user-full-access namespace: mynamespacerules:- apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"]- apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: mynamespace-user-view namespace: mynamespacesubjects: - kind: ServiceAccount name: mynamespace-user namespace: mynamespaceroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mynamespace-user-full-access
Replace mynamespace
with the name of the namespace to which you want to restrict developers.
- You can login to k8s-dashboard using access token which can be retrieved using this command.
kubectl -n mynamespace describe secret $(kubectl -n flow get secret | grep mynamespace-user | awk '{print $1}')
- You can also login to k8s-dashboard using kube config. The kube config contents will be:
apiVersion: v1kind: Configpreferences: {}# Define the clusterclusters:- cluster: certificate-authority-data: PLACE CERTIFICATE HERE # You'll need the API endpoint of your Cluster here: server: https://YOUR_KUBERNETES_API_ENDPOINT name: my-cluster# Define the userusers:- name: mynamespace-user user: as-user-extra: {} client-key-data: PLACE CERTIFICATE HERE token: PLACE USER TOKEN HERE# Define the context: linking a user to a clustercontexts:- context: cluster: my-cluster namespace: mynamespace user: mynamespace-user name: mynamespace# Define current contextcurrent-context: mynamespace
- The certificate can be retrieved using this command
kubectl -n mynamespace get secret $(kubectl -n flow get secret | grep mynamespace-user | awk '{print $1}') -o "jsonpath={.data['ca\.crt']}"
I have tried these steps in my environment and it works perfectly.
Refer this for more info.
Hope this helps.