Restricted Kubernetes dashboard?
Based on the answer from lwolf, I used the kubernetes-dashboard.yaml and changed it to run on the slaves, in the default namespace.
The important change is the kind: ClusterRole, name: view
part, which assigns the view role to the dashboard user.
apiVersion: v1kind: ServiceAccountmetadata: labels: k8s-app: kubernetes-dashboard name: ro-dashboard---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: ro-dashboard labels: k8s-app: kubernetes-dashboardroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: viewsubjects:- kind: ServiceAccount name: ro-dashboard apiGroup: '' namespace: default---kind: DeploymentapiVersion: extensions/v1beta1metadata: labels: k8s-app: kubernetes-dashboard name: ro-dashboardspec: replicas: 1 revisionHistoryLimit: 0 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.3 ports: - containerPort: 9090 protocol: TCP livenessProbe: httpGet: path: / port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 serviceAccountName: ro-dashboard---kind: ServiceapiVersion: v1metadata: labels: k8s-app: kubernetes-dashboard name: ro-dashboardspec: type: LoadBalancer ports: - port: 80 targetPort: 9090 selector: k8s-app: kubernetes-dashboard
It should be possible in kubernetes with RBAC enabled.You do not need to run a pod with kubectl proxy
.I'm not sure whether it is possible to have 2 different sets of permissions for the same pod, but worst case you have to run 2 dashboards.
Basically, what you need to do is:
- deploy dashboard in your cluster with read-only permissions in RBAC
- expose your running dashboard service
- add ingress with basic HTTP auth