RBAC ClusterRoleBinding for Dashboard¶

An RBAC ClusterRoleBinding for Dashboard is a specific Kubernetes configuration used to grant a user or service account the necessary permissions to access and manage the cluster via the Kubernetes Dashboard web UI^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Purpose¶

The Kubernetes Dashboard requires elevated privileges to display the state of containers, services, and other cluster resources^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. Because the Dashboard acts as a management interface, the bound identity typically needs cluster-admin privileges to perform actions across all namespaces, rather than being limited to a single namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Configuration¶

The setup involves creating a ClusterRoleBinding that links a specific identity (the subject) to a built-in high-privilege role (the role ref).

Key Components¶

• RoleRef: Refers to the cluster-admin ClusterRole, which provides super-user access to perform any action on any resource^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].
• Subject: Refers to the Service Account requiring access (e.g., default in the kube-system namespace)^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Example Manifest¶

The following YAML snippet defines a ClusterRoleBinding named kube-system-default. It grants the cluster-admin role to the default service account within the kube-system namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-system-default
  labels:
    k8s-app: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system

Authentication¶

Once the binding is applied, a bearer token is required to log in to the Dashboard UI^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. This token is typically retrieved from the secret associated with the Service Account defined in the binding^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Related Concepts¶

• Kubernetes Dashboard
• [[RBAC]]
• [[Service Account]]

Sources¶

• 400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md