The purpose of this Article is to visualize the idea of having multiple users in Kubernetes Environment accessing your Kubernetes Dashboard with different roles/permission.
What this Article aims to? & what you’ll achieve after reading this!
If you’re aiming to build or you already have your own on-premise K8s Cluster (Kubernetes cluster) then you might be planning to use the default K8s dashboard. Now if you’ve your separate application developing team, practice team or say another admin team whom you don’t want to let them use the dashboard with equal rights i.e., full access admin rights to your cluster, then you may proceed reading further, or unless you’ve the ‘thirst for learning’.
After you finish this article, you’ll learn creating three Service Account Users, one of them will have “read-only-access” for developer team, “full-admin-access” for administrator team, & “full-admin-rights-within-a-Namespace” for a group of users whose scope is limited to a single Namespace for example testing team.
Pre-requisites-
For the current scenario, I’m having my cluster on Google Cloud, and I’ve configured my Gcloud on my CLI.
- A running GKE, EKS, AKS, or on-premise K8s Cluster.
Action:
- From your GKE on google cloud console, click “connect” on your cluster and copy the command to your CLI.
lets first confirm if you’re cluster is reachable by checking nodes available to your cluster,
$ kubectl get nodes
Now Once your cluster is ready, all the steps below can be applied on any cluster i.e., GKE, AKS, EKS, or on_premise environment.
First Deploy the K8s Metrics Server:
The Kubernetes metrics server is an aggregator of resource usage data in your cluster, and it is not deployed by default in K8s clusters. The Kubernetes dashboard uses the metrics server to gather metrics for your cluster, such as CPU and memory usage over time. One has to configure and hence enable this so that our dashboard can produce information for us.
Step 1: To install Metric Server from GitHub on Google GKE cluster using a web browser
Download and extract the latest version of the metrics server code from GitHub.
Navigate to the latest release page of the metric server project on GitHub (https://github.com/kubernetes-sigs/metrics-server/releases/latest), then choose a source code archive for the latest release to download it.
$ wget -O v0.3.6.tar.gz https://codeload.github.com/kubernetes-sigs/metrics-server/tar.gz/v0.3.6
extract it,
$ tar -xzf v0.3.6.tar.gz
Apply all of the YAML manifests in the metrics-server-0.3.6/deploy/1.8+ directory (substituting your release version).
$ kubectl apply -f metrics-server-0.3.6/deploy/1.8+/
Verify that the Metrics Server deployment is running the desired number of pods with the following command.
$ kubectl get deployment metrics-server -n kube-system
Output,
Step2: Deploy the Dashboard
Use the following command to deploy the Kubernetes Dashboard,
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
Output:
If you’re done with all these above steps, without any error, then you may proceed with below steps. If didn’t get appropriate output as shown above, you need to follow the above steps and troubleshoot the issue.
Step 3: Create the below Kubernetes Service Account
a. admin, b. watcher, c. test-user
open your editor, and save the file as “serviceaccount.yaml”
Note- all the Service Account has to be within the Namespace “kube-system”.
step 3: Now create the Cluster Roles,
i. By Default, Kubernetes has already “cluster-admin” ClusterRole defined.
ii. So let’s start with creating “Cluster-watcher” ClusterRole that defines cluster read only access.
- Once the above you save it by “watcher_ClusterRole.yaml”
$ Kubectl apply -f watcher_ClusterRole.yaml
iii. and we’ll use “cluster-admin” for our test-user to provide limited but full access within a namespace.
Step 4: Now lets do the ClusterRoleBinding mentioned above
Note: to provide partial access to “test-user” I’ve Bind the ClusterRole with RoleBinding.
Step 5: Now apply the above manifest in Kubernetes,
$ kubectl apply -f /path/to/your/respective/ClusterRole_bind.yaml
Step:6 Get the Bearer Token to login to the Kubernetes Dashboard.
$ Kubectl get secrets -n kube-system
step 7: Find the Sa Account and then their respective Secrets
$ kubectl get sa admin watcher test-user -n kube-system
$ kubectl get sa admin -n kube-system -o yaml //this will give you the token name we’re looking for.
once you’ve the token name, you can now describe it and copy the token,
$ kubectl describe secret admin-token-dxcbm -n kube-system
Now start the kubernetes Proxy server,
$ kubectl proxy // this exposes your cluster and k8s-dashboard to your local machine.
step 8: To access the dashboard endpoint, open the following link with a web browser:
Now paste the above secret token copied from “admin” Service Account,
Note: carefully copy the Secret token.
Here you can change the Namespace, edit any deployment, create namespace.Because you’re the admin here.
Step 8: lets verify the “test-user” Service Account
after copying the secret token, and starting the kubectl proxy,
you’should be able to exactly this page,
but don’t panic here.
Remember you’ve just provided the “test-user” only admin privileges within Namespace “test-ns”
so lets switch the Namespace within the dashboard,
here you should be able to control deployment, pods etc, but you won’t have access to other namespace or you can’t create new namespaces.
The same you can try with “watcher” Service Account, where you’ll only have access to view the cluster but nothing beyond it.
So by the end, hope you’ve the smile on your face. Keep learning and share the smile :)
