Skip to content

Dashboard RBAC Authorization Levels

The Kubernetes Dashboard supports Role-Based Access Control (RBAC) to restrict or grant permissions to users based on their identity. Implementing RBAC allows administrators to separate concerns, ensuring that developers can view Pod status without requiring direct host access or full administrative privileges^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

Administrator Authorization

The highest level of access is granted through the cluster-admin ClusterRole, typically bound to a ServiceAccount named kubernetes-dashboard-admin.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

  • ServiceAccount: kubernetes-dashboard-admin
  • ClusterRole: cluster-admin
  • Capabilities: Grants full administrative access to the cluster.
  • Usage: Suitable for system administrators who require complete control over all cluster resources.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

Implementation

To create this user, a ClusterRoleBinding is defined in an RBAC configuration file (e.g., rbac.yaml) to link the ServiceAccount to the cluster-admin role:^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard-admin
  namespace: kube-system

This ServiceAccount is then specified in the Dashboard Deployment YAML under spec.template.spec.serviceAccountName.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

View-Only Authorization

For users who require visibility into cluster resources without the ability to modify them, a "minimal" or view-only configuration is used.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

  • ServiceAccount: kubernetes-dashboard
  • ClusterRole: dashboard-viewonly
  • Capabilities: Restricted to get, list, and watch verbs across core resources (pods, services, nodes) and specific API groups (apps, batch, networking).^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]
  • Usage: Designed for developers or stakeholders who need to monitor the cluster state or read logs.

Implementation

This level is implemented using an rbac-minimal.yaml file which defines a custom ClusterRole with strictly read-only permissions.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

The ClusterRole explicitly denies modification actions (create, update, delete) and limits access to:

  • Core Resources: Configmaps, endpoints, persistentvolumeclaims, pods, services, nodes.
  • Logging: pods/log (access via get).
  • API Groups: Read-only access to apps (deployments, statefulsets), batch (cronjobs), and networking.k8s.io (networkpolicies).^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

Similar to the admin level, the Deployment is updated to use the kubernetes-dashboard ServiceAccount by default, forcing the dashboard to operate with these restricted privileges unless an admin token is provided.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

Authentication Tokens

Access to the dashboard is secured using bearer tokens associated with the ServiceAccounts.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

  • Retrieval: Tokens are stored as Kubernetes Secrets within the kube-system namespace. They can be retrieved using kubectl get secret and decoded using kubectl describe secret <secret-name>.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]
  • Usage:
    • Admin Login: Uses the token from the kubernetes-dashboard-admin-token-xxxxx secret.
    • User Login: Uses the token from the kubernetes-dashboard-token-xxxxx secret.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

In Dashboard v1.10.1, authentication is mandatory; users cannot bypass login. This enforces the security principle where only authorized personnel (with valid tokens) can access the interface, and their permissions are strictly dictated by the bound RBAC roles.^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

Sources

^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]

  • Kubernetes
  • [[RBAC]]
  • [[Service Accounts]]
  • [[ClusterRole]]