Kubernetes dashboard doesn't accept view-only serviceaccount token Kubernetes dashboard doesn't accept view-only serviceaccount token kubernetes kubernetes

Kubernetes dashboard doesn't accept view-only serviceaccount token


docker kubernetes permissions dashboard service-accounts

Its possible to create service-account in k8s and restrict it to specific namespace.

Follow these steps:

  • I assume k8s-dashboard is installed on your k8s cluster.
  • I also assume you have created admin-user to access k8s-dashboard by following these steps.
  • Now to restrict developers to specific namespace on k8s, create a service-account with following contents:
---apiVersion: v1kind: ServiceAccountmetadata:  name: mynamespace-user  namespace: mynamespace---kind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: mynamespace-user-full-access  namespace: mynamespacerules:- apiGroups: ["", "extensions", "apps"]  resources: ["*"]  verbs: ["*"]- apiGroups: ["batch"]  resources:  - jobs  - cronjobs  verbs: ["*"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: mynamespace-user-view  namespace: mynamespacesubjects: - kind: ServiceAccount  name: mynamespace-user  namespace: mynamespaceroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: mynamespace-user-full-access

Replace mynamespace with the name of the namespace to which you want to restrict developers.

  • You can login to k8s-dashboard using access token which can be retrieved using this command. 
kubectl -n mynamespace describe secret $(kubectl -n flow get secret | grep mynamespace-user | awk '{print $1}')
  • You can also login to k8s-dashboard using kube config. The kube config contents will be:
apiVersion: v1kind: Configpreferences: {}# Define the clusterclusters:- cluster:    certificate-authority-data: PLACE CERTIFICATE HERE    # You'll need the API endpoint of your Cluster here:    server: https://YOUR_KUBERNETES_API_ENDPOINT  name: my-cluster# Define the userusers:- name: mynamespace-user  user:    as-user-extra: {}    client-key-data: PLACE CERTIFICATE HERE    token: PLACE USER TOKEN HERE# Define the context: linking a user to a clustercontexts:- context:    cluster: my-cluster    namespace: mynamespace    user: mynamespace-user  name: mynamespace# Define current contextcurrent-context: mynamespace
  • The certificate can be retrieved using this command 
kubectl -n mynamespace get secret $(kubectl -n flow get secret | grep mynamespace-user | awk '{print $1}') -o "jsonpath={.data['ca\.crt']}"

I have tried these steps in my environment and it works perfectly.

Refer this for more info.

Hope this helps.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last