Dashboard: Is it mandatory to grant full namespace list permission to a serviceaccount to create a resource via "CREATE AN APP" tab?

Created on 5 Jan 2018 · 6Comments · Source: kubernetes/dashboard

Environment

Dashboard version: v1.9.0
Kubernetes version: v1.9.0 
Operating system: CentOS CE 7
Node.js version: -
Go version: 1.9.2

Steps to reproduce

Create a service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {yourusername}-user
  namespace: kube-system

Attribute a role binding to the serviceaccount

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: admin-user
  namespace: {namespace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin // or admin
subjects:
- kind: ServiceAccount
  name: {yourusername}-user
  namespace: kube-system

Get de secret token and logged in into the web dashboard
Click on CREATE button and navigate to CREATE AN APP tab
Fill the form and try to DEPLOY

Observed result

The deploy button still unable even though the form is fulfilled

The kubctl logs on the dashboard pods shows

Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kube-system:learn-user" cannot list namespaces at the cluster scope

I guess it is ok because the service account does not have access to the others namespaces

I can create resources via TEXT or YAML, then I do not have permissions problems

Expected result

I expected to create a new resource via "CREATE AN APP" even though the user does not have full access to list the namespaces

Comments

Cluster created via kubadm with RBAC rules enabled.

lifecyclfrozen

Source

casevictor

👍3

Most helpful comment

Currently, it is required to give user permission to list namespaces as it is not possible to manually provide a namespace. We will change that, however right now we are focusing on migrating from AngularJS to Angular 5, so no ETA.

floreks on 6 Jan 2018

👍2

All 6 comments

floreks on 6 Jan 2018

👍2

Hello,

I'm a bit confused here. cluster-admin role has access to everything, so it should include the "permission to list namespaces"..., I'm not sure how could I grant permissions in dashboard to one namespace. Cannot get access neither if I type in the namespace manually.

using:
k8s: 1.9.3
dashboard: 1.8.1

nrobert13 on 9 Mar 2018

👍 on this issue. @floreks Would love to be able to use this at my company but being able to see other people's namespaces or interact with them is a no-go and therefore we cannot use the dashboard. Would love it to work just like how the K8s API access via kubectl works: My team is only allowed API interactions against it's namespace, nothing more.

If the dashboard allowed for auth to only a particular namespace I think the audience/usefulness for dashboard would increase drastically.

Many companies that I know of using K8s are in part using it to allow their developers to be productive and manage their applications without having escalated permissions to the underlying VMs and/or "other team's stuff". Right now, unless I'm missing something, the permissions the dashboard requires leaves us at a strange place in-between unfortunately.

johnculviner on 14 Mar 2018

👍1

For read access you do not need to grant namespace list privileges. Namespace selector has input field that allows you to write the name of namespace you want to access. Without list privilege namespace selector list will be empty but input field will always be available.

The only requirement is that user knows the name of namespace he wants to access.

This issue only mentions that you can not use create functionality without this permission. Other parts of Dashboard are working correctly.

floreks on 14 Mar 2018

@floreks Thank you for your work on this awesome dashboard and the quick reply. I been using it in minikube and love it. My org's cluster is 1.6 and I see you did a required perms overhaul in 1.7+. I'll see what I can do once we upgrade to 1.9 in terms of getting it up and running (which I think will be a big benefit for everyone). Thanks again.

johnculviner on 14 Mar 2018

Zrzut ekranu 2019-11-14 o 10 46 08