Azure-docs: How do we make the dashboard available in RBAC enabled cluster using az aks browse?

Created on 14 Sep 2018 · 22Comments · Source: MicrosoftDocs/azure-docs

It is given that we cannot grant cluster role binding with cluster-admin role to kubernetes-dashboard service account. Any guidance around this would be greatly appreciated either using az aks OR with kubectl command.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 2ba1dad2-9792-2a7b-cdb6-68da0524cff3
Version Independent ID: 42736112-f6db-d241-e89b-48fd2c35ceb7
Content: Manage Azure Kubernetes cluster with web UI
Content Source: articles/aks/kubernetes-dashboard.md
Service: container-service
GitHub Login: @iainfoulds
Microsoft Alias: iainfou

Pri1 container-servicsvc cxp in-progress needs-more-info product-question triaged

Source

badalk

Most helpful comment

I haven't tested this from az aks browse. It's possible that since it tunnels the connection for the Kubernetes dashboard it first checks for the running dashboard pod and the port that it's running on. If that's the blocking behavior, would need to open an issue against the Azure CLI.

Try az account get-access-token --query accessToken -o tsv to get an access token for your user, then start the connection with kubectl proxy. You can then browse to the Kubernetes dashboard at http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/login and enter the access token for your user.

iainfoulds on 19 Sep 2018

👍3 😕1 🎉1 👎1

All 22 comments

Thanks for the question! We are investigating and will update you shortly.

mimckitt on 14 Sep 2018

@badalk based on the doc it appears to provide a work around

https://docs.microsoft.com/en-us/azure/aks/kubernetes-dashboard#for-rbac-enabled-clusters

For RBAC-enabled clusters
If your AKS cluster uses RBAC, a ClusterRoleBinding must be created before you can correctly access the dashboard. By default, the Kubernetes dashboard is deployed with minimal read access and displays RBAC access errors. The Kubernetes dashboard does not currently support user-provided credentials to determine the level of access, rather it uses the roles granted to the service account. A cluster administrator can choose to grant additional access to the kubernetes-dashboard service account, however this can be a vector for privilege escalation. You can also integrate Azure Active Directory authentication to provide a more granular level of access.

Does this not address the issue? If not please clarify so I can better assist :)

mimckitt on 15 Sep 2018

Below highlighted sections sounds contradicting to me

From: Micah notifications@github.com
Sent: Friday, September 14, 2018 10:04 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Badal Kotecha Badal.Kotecha@mindtree.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] How do we make the dashboard available in RBAC enabled cluster using az aks browse? (#14983)

This e-mail originated outside of Mindtree. Exercise caution before clicking links or opening attachments *

@badalkhttps://github.com/badalk based on the doc it appears to provide a work around

https://docs.microsoft.com/en-us/azure/aks/kubernetes-dashboard#for-rbac-enabled-clusters

For RBAC-enabled clusters
If your AKS cluster uses RBAC, a ClusterRoleBinding must be created before you can correctly access the dashboard. By default, the Kubernetes dashboard is deployed with minimal read access and displays RBAC access errors. The Kubernetes dashboard does not currently support user-provided credentials to determine the level of access, rather it uses the roles granted to the service account. A cluster administrator can choose to grant additional access to the kubernetes-dashboard service account, however this can be a vector for privilege escalation. You can also integrate Azure Active Directory authentication to provide a more granular level of access.

Does this not address the issue? If not please clarify so I can better assist :)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/14983#issuecomment-421523003, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AOYOqnE3-8IKlBpKcFpRJWk6AWbpX2dcks5ubGAogaJpZM4Woduu.

http://www.mindtree.com/email/disclaimer.html

badalk on 15 Sep 2018

@badalk sorry but I am not seeing any highlighted sections. If you reply from email you often lose the formatting. Could you reply from a PC and clarify which part is confusing?

mimckitt on 17 Sep 2018

Between these two statements:

The Kubernetes dashboard does not currently support user-provided credentials to determine the level of access, rather it uses the roles granted to the service account

You can also integrate Azure Active Directory authentication to provide a more granular level of access

How do we integrate dashboard with Azure AD auth, and in that case wouldn't it ask user to provide credentials?

Regards
Badal

badalk on 17 Sep 2018

We have a doc on how to integrate AKS with AAD

https://docs.microsoft.com/en-us/azure/aks/aad-integration

If you integrate with AAD it would prompt the user for credentials if they are not already logged into the account.

Is that not what you are looking for?

mimckitt on 18 Sep 2018

Not really. I am looking for access to dashboard based on the context of the user. For example if a user has access to a particular namespace in the cluster, will he have the similar permissions on the dashboard to deal with that specific namespace

badalk on 18 Sep 2018

👍4

@iainfoulds would you be able to comment further on this?

mimckitt on 18 Sep 2018

Rather than creating a role binding that is tied to a service account, a role binding can be created that points to the object of an Azure AD user or group. That's the only difference. It's still all controlled by that Kubernetes role and role binding in terms of which namespaces the Azure AD user or group can access, and what permissions they then have to perform actions.

There's doc update already in progress that shows how to apply these changes, but it's not really anything specific to AKS or Azure AD. The following example would grant read-only permissions for the kube-system namespace to the Azure AD group with an ID of d092bfb0-0000-0000-0000-19241f0e4e84:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: proxy-dashboard
rules:
  - apiGroups: [""]
    resources:
      - services
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources:
      - services/proxy
    verbs: ["get", "list", "watch", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: user-binding-dashboard
roleRef:
  kind: Role
  name: proxy-dashboard
  apiGroup: ""
subjects:
- kind: Group
  name: "d092bfb0-0000-0000-0000-19241f0e4e84"
  apiGroup: ""

iainfoulds on 19 Sep 2018

👍3

Thanks @iainfoulds , i created the role and role binding as you stated above but does this work with az aks browse? because I get a message post login with the user which is part of this new group i created in AD, saying that the logged in user does not have permissions to list pods in kube-system

az aks browse --resource-group rg-aks-arm --name myfirstakscluster Merged "myfirstakscluster" as current context in /tmp/tmpswmadxns To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code SOMECODE to authenticate. Error from server (Forbidden): pods is forbidden: User "[email protected]" cannot list pods in the namespace "kube-system" Could not find dashboard pod: Command '['kubectl', 'get', 'pods', '--kubeconfig', '/tmp/tmpswmadxns', '--namespace', 'kube-system', '--output', 'name', '--selector', 'k8s-app=kubernetes-dashboard']' returned non-zero exit status 1.

badalk on 19 Sep 2018

iainfoulds on 19 Sep 2018

👍3 😕1 🎉1 👎1

@badalk any update on this?

mimckitt on 21 Sep 2018

its not working for me either ways. I will spend some time over the weekend.

badalk on 21 Sep 2018

👍2

@badalk any luck over the weekend?

mimckitt on 24 Sep 2018

@badalk I will close for now. When ready let me know and we can reopen and continue.

mimckitt on 27 Sep 2018

Surprisingly it works for me if I use the access token but If I use the normal secret token I cannot access the k8s dashboard. I have created a seperate service account that has clusterrolebindings to my Azure AD group

Sudharma on 13 Dec 2018

I install a new cluster and now with the access token I get logged in Dashboard but get these kind of errors. Any changes on azure aks side?
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default"

Sudharma on 30 Jan 2019

Hi @Karishma-Tiwari-MSFT,

I am following this issue from various closed issues and it appears that there is no solution available for this. Any idea if a fix has been proposed for this? Appreciate your help.

love2dishtech on 22 Feb 2019

@love2dishtech This is the open issue: https://github.com/MicrosoftDocs/azure-docs/issues/23789
Further updates will be shared on that thread.
Please take a look there and let me know if you are seeing the same issue on your end.

Karishma-Tiwari-MSFT on 22 Feb 2019

@love2dishtech This is the open issue: #23789
Further updates will be shared on that thread.
Please take a look there and let me know if you are seeing the same issue on your end.

Thanks a lot for quick reply. Appreciate it.

love2dishtech on 23 Feb 2019

I haven't tested this from az aks browse. It's possible that since it tunnels the connection for the Kubernetes dashboard it first checks for the running dashboard pod and the port that it's running on. If that's the blocking behavior, would need to open an issue against the Azure CLI.

Try az account get-access-token --query accessToken -o tsv to get an access token for your user, then start the connection with kubectl proxy. You can then browse to the Kubernetes dashboard at http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/login and enter the access token for your user.

That did not work i still cannot access dashboard at 127.0.0.1:8001 and the proxy stays in starting state. Any other solution for this issue in accessing dashboard , where i am giving access to user on a seprate namespace but should be able to access AKS dashboard which is running in kube-system namespaces ?

CloudA2Z-Code on 27 Feb 2020

Rather than creating a role binding that is tied to a service account, a role binding can be created that points to the object of an Azure AD user or group. That's the only difference. It's still all controlled by that Kubernetes role and role binding in terms of which namespaces the Azure AD user or group can access, and what permissions they then have to perform actions.

There's doc update already in progress that shows how to apply these changes, but it's not really anything specific to AKS or Azure AD. The following example would grant read-only permissions for the kube-system namespace to the Azure AD group with an ID of d092bfb0-0000-0000-0000-19241f0e4e84:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: proxy-dashboard
rules:
  - apiGroups: [""]
    resources:
      - services
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources:
      - services/proxy
    verbs: ["get", "list", "watch", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: user-binding-dashboard
roleRef:
  kind: Role
  name: proxy-dashboard
  apiGroup: ""
subjects:
- kind: Group
  name: "d092bfb0-0000-0000-0000-19241f0e4e84"
  apiGroup: ""

If someone is trying to setup 'Kuberntes Multitenancy' on the namespace, why one would give access to 'kube-system' by role and role-binding. All we want to give acccess to only one namepsace to specific applicaion user ?

Do i sound right or not ?

CloudA2Z-Code on 27 Feb 2020

Was this page helpful?

0 / 5 - 0 ratings