Restricted Kubernetes dashboard?

2019-05-14 07:26发布

问题:

Is it possible to have a restricted Kubernetes dashboard? The idea is to have a pod running kubectl proxy in the cluster (protected with basic HTTP authentication) to get a quick overview of the status:

  • Log output of the pods
  • Running services and pods
  • Current CPU/memory usage

However, I do not want users to be able to do "privileged" actions, like creating new pods, deleting pods or accessing secrets.

Is there some option to start the dashboard with a specified user or with restricted permissions?

回答1:

It should be possible in kubernetes with RBAC enabled. You do not need to run a pod with kubectl proxy. I'm not sure whether it is possible to have 2 different sets of permissions for the same pod, but worst case you have to run 2 dashboards.

Basically, what you need to do is:

  • deploy dashboard in your cluster with read-only permissions in RBAC
  • expose your running dashboard service
  • add ingress with basic HTTP auth


回答2:

Based on the answer from lwolf, I used the kubernetes-dashboard.yaml and changed it to run on the slaves, in the default namespace.

The important change is the kind: ClusterRole, name: view part, which assigns the view role to the dashboard user.

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: ro-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ro-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: ro-dashboard
  apiGroup: ''
  namespace: default
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: ro-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.3
        ports:
        - containerPort: 9090
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /
            port: 9090
          initialDelaySeconds: 30
          timeoutSeconds: 30
      serviceAccountName: ro-dashboard
---
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: ro-dashboard
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 9090
  selector:
    k8s-app: kubernetes-dashboard