Dashboard: Update docs to cover RBAC changes in K8S 1.6

Created on 31 Mar 2017 · 12Comments · Source: kubernetes/dashboard

As mentioned in #1800. We should add some info to our documentation that because of changes in kubernetes 1.6 users that want to enable RBACs should configure them first to allow dashboard access to api server.

kinbug

Source

floreks

👍3

Most helpful comment

a temporary workaround to make it work:

# Create the clusterrole and clusterrolebinding:
# $ kubectl create -f kube-dashboard-rbac.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

This is clearly giving a ton of perms to the default user and is probably very bad idea for systems beyond just playing around.

stevenbower on 2 Apr 2017

👍20 👎5

All 12 comments

a temporary workaround to make it work:

# Create the clusterrole and clusterrolebinding:
# $ kubectl create -f kube-dashboard-rbac.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

This is clearly giving a ton of perms to the default user and is probably very bad idea for systems beyond just playing around.

stevenbower on 2 Apr 2017

👍20 👎5

I stumbled over the same documentation problem and the same issue as in #1806. Any real solution yet?

m4r10k on 4 Apr 2017

@kleinsasserm We could prepare some basic Roles and new SA for dashboard but it's really up to the user how he wants to configure authorization layer in his cluster. He might want to make dashboard read only and block create/update permissions or just give full permissions.

I will prepare additional yaml that will work with out of the box 1.6 cluster but it will grant all permissions that dashboard needs to be fully operational.

For now I'd recommend to read RBAC related documentation and configure it on your own.

floreks on 4 Apr 2017

👍2

What I want to tell is, that the documentation (https://kubernetes.io/docs/user-guide/ui/, https://github.com/kubernetes/dashboard) is misleading -> there is not a single word about RBAC. It just does not work. RBAC is really OK and your suggestion also but I think it would be helpful and enough if you include an example on how to set a new SA, a role for dashboard and how to use them (yaml). Pointing to the RBAC docs, which are mostly abstract and that is also OK for technical purpose, without a useful example is a little bit ping-pong play, because once again the current documentation is not working. Oh, if you want I can test it and thank you for your support!

m4r10k on 4 Apr 2017

👍3

Here is a good example with custom SA and Roles for dashboard: https://github.com/UNINETT/kubernetes-terraform/blob/master/ansible/roles/cluster_config/templates/dashboard.yaml.j2#L1

floreks on 5 Apr 2017

Linking docs: https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions

maciaszczykm on 5 Apr 2017

As a workaround I've a created a ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard
  namespace: kube-system

Made that account a cluster-admin:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: dashboard
  namespace: kube-system

And modified the Pod template in the kubernetes-dashboard Deployment:

spec:
  template:
    spec:
      serviceAccountName: dashboard

Probably the easiest to do via kubectl edit deploy -n kube-system kubernetes-dashboard

Hope it helps someone..

lenartj on 17 Apr 2017

👍5

@lenartj you are welcome to create a PR and add additional dashboard yaml that is compliant with kubernetes 1.6. If you don't have time we can do it for you.

floreks on 18 Apr 2017

Done in #1856.

maciaszczykm on 19 Apr 2017

Speaking as a developer setting up their first kubernetes cluster from scratch (and having no prior experience with kubernetes), I Agree with @kleinsasserm that the documentation is at the very least misleading. As of 1.8 though it seems that RBAC is the norm, and there is no possibility that just doing:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

with the current version will work, given a fresh kubernetes cluster, so the documentation might also be considered for promotion to flat out wrong.

Kudos to @lenartj for the workaround. For an updated version if you drop this in the existing kubernetes-dashboard.yaml it should work:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-rb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

aschofie on 10 Oct 2017

👍4 🎉1 😄1

Of course Dashboard will work if you use this command. You won't have access if you do not log in but Dashboard will work just fine. Everything is described on our wiki pages. Giving admin permissions to Dashboard also.

floreks on 10 Oct 2017

😕10

Maybe I missed something, but for version 1.6 (1.6.7 at least), I don't see any solution here...