user permissions needed for token access to kubernetes dashboard with RBAC
I couldn't find a different way other than providing some access to kube-system, so I did using the following role and binding:
kind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: namespace: kube-system name: user-role-dashboardrules: - apiGroups: [""] resources: - services verbs: ["get", "list", "watch"] - apiGroups: [""] resources: - services/proxy verbs: ["get", "list", "watch", "create"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: namespace: kube-system name: user-binding-dashboardsubjects:- kind: User name: system:serviceaccount:<namespace>:<username> apiGroup: ""roleRef: kind: Role name: user-role-dashboard apiGroup: ""
Would still like to know whether there is a better way though, your thoughts and suggestions are welcome!
I have the same situation and found my answer in this post: Kubernetes Dashboard Installation Deep Dive. It worked perfectly.
The idea is to create a PKCS #12 file from the kubernetes-admin user's certificate and key. Import this into your browser, then access the dashboard through the API server (I did not use a proxy). Note that SKIP will not grant any access. Login using the bearer token as normal, and the dashboard rights are restricted by the user's token.