How to restrict kubernetes dashboard to a specific dashboard for a user assigned to a specific Role

Question

I'm trying to restrict the a user on the kubernetes dashboard that connects to kubectl after i created a .crt for him and the respective config.

I successfully restricted what he can do with the following role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: development
 name: dev
rules:
- apiGroups: [""]
  resources: ["pods", "services", "crontabs", "pods/log"]
  verbs: ["create", "get", "update", "list", "delete"]
- apiGroups: ["batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "get", "update", "list", "delete"]

and cluster binding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-susann
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

for him to be able to access the dashboard. The problem is that i only want him to be able to access the namespace development.

I already searched a bit and some solutions seem to involve creating a service account and another problem might be because the permissions to see the dashboard are giving on a cluster role and that can't be namespaced.

Is there a best approach to solve this problem?

Answer 1

This can be done with a proper RBAC configuration.

You need to create a RoleBinding in the specific namespace. For example, the RBAC rules could be created as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: dev

With it, the dev Role would have the pre-defined cluster role edit that would restrict them to the standard operations on most objects, via the dashboard. The dev would not be able to drop-down list the other namespaces.

In order to fully understand the whole process I strongly recommend going through the below guide:

• Installing Kubernetes Dashboard per Namespace

If you need to use this or a similar approach for a larger scale, you can consider using this tool:

• RBAC Manager

And if you seek more knowledge regarding this particular topic I suggest checking out the below sources:

• Using RBAC Authorization

• Create Kubernetes Service / User Account restricted to one Namespace

• KUBERNETES AND RBAC: RESTRICT USER ACCESS TO ONE NAMESPACE

Going through the guide and supplementing any needed knowledge with the linked sources will make it way easier for you to understand and implement this solution in your use case.