Skip to content

RBAC ClusterRoleBinding for Dashboard access

RBAC ClusterRoleBinding for dashboard access refers to the specific Role-Based Access Control (RBAC) configuration required to authenticate and authorize users to the Kubernetes Dashboard Web UI.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Since the Dashboard is a web interface, it cannot be accessed via standard HTTP basic authentication. Instead, it requires a Bearer Token for verification.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Configuration Implementation

To enable access, an administrator must create a ClusterRoleBinding that grants a ServiceAccount the necessary privileges (typically the cluster-admin role) and generates a corresponding Secret for the token.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

The following is an example configuration that grants the default ServiceAccount in the kube-system namespace administrative privileges:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-system-default
  labels:
    k8s-app: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
  name: default
  namespace: kube-system
  labels:
    k8s-app: kube-system
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Token Retrieval

Once the ClusterRoleBinding and Secret are applied, the Bearer Token required for login can be retrieved from the created Secret.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

For example, on a system using kubectl, the token can be extracted and printed using the following command:

TOKEN=$([kubectl](<./kubectl.md>) -n kube-system describe secret default| awk '$1=="token:"{print $2}')
echo $TOKEN
^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

This token is then entered into the Dashboard login screen to establish the session.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Sources

^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]