kubernetes, dashboard, addons

Installing Kubernetes Dashboard per Namespace

Last update:

Even though I'm not Kubernetes Dashboard user, I understand why for most people this is the easiest way to interact with their apps running on top of Kubernetes. If you are interacting with it daily or managing the cluster itself, you are probably more fine with CLI aka kubectl. Kubernetes Dashboard is easy to install, but you might want to have it per namespace to limit what users can do. Let's see how to install and configure it for this scenario.

The Problem

If you check for most tutorials on how to install the dashboard, it uses cluster admin role which means that anyone who can access it, is basically the cluster admin as well. Even if that is not the case, you probably want to limit users for touching anything that is not part of their namespace.

So, it makes sense to deploy the dashboard in the namespace where developers have their apps. Also, when deployed per namespace, you can give users all privileges for that particular namespace.

Installation and Configuration

The latest Kubernetes Dashboard stable release can't run in any namespace other than kube-system. As of the time I'm writing this post, the latest stable version is v1.10.1. However, namespace support is available in the master branch for quite some time.

Installing the dashboard is a pretty straightforward process. So, let's say you want to install it in the default namespace. First, create a custom config for kubernetes-dashboard helm chart:

$ cat > values-dashboard.yaml<<EOF 
image:
  repository: kubernetesdashboarddev/kubernetes-dashboard-amd64
  tag: 7fa1563213bdcc3deaff42183511a243d4c04268

extraArgs:
  - --system-banner="Test Cluster"
  - --namespace=default

rbac:
  clusterAdminRole: false
EOF

NOTE: You don't want to create any cluster-wide roles, and that is why I set clusterAdminRole to false. Also, if you have a single sign-on solution with ingress, then you can set enableSkipLogin: true and enableInsecureLogin: true to disable dashboard authentication.

If you try to install the dashboard at this point, you will get the following error:

panic: secrets "kubernetes-dashboard-csrf" is forbidden: User "system:serviceaccount:default:dash-kubernetes-dashboard" cannot get secrets in the namespace "default"

From this error, you can see that dash-kubernetes-dashboard service account cannot list secrets in the default namespace. However, you can fix this by creating a new role. Here is the new role that fixes the above issue and also enables dashboard users almost all privileges in the particular namespace:

$ cat > kubernetes-dashboard-role.yaml<<EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: dash-kubernetes-dashboard-master
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - get
  - list
  - watch
  - describe
  - exec
  - update
  - delete
- apiGroups:
  - ""
  resourceNames:
  - kubernetes-dashboard-csrf
  resources:
  - secrets
  verbs:
  - get
  - update
  - delete
EOF

Also, role binding:

$ cat > kubernetes-dashboard-rolebinding.yaml<<EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: dash-kubernetes-dashboard-master
  labels:
    app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dash-kubernetes-dashboard-master
subjects:
- kind: ServiceAccount
  name: dash-kubernetes-dashboard
  namespace: default
EOF

NOTE: Set to a preferred namespace - default in this case.

You need to create a kubernetes-dashboard-csrf secret, as it won't be created automatically. The error message is panic: secrets "kubernetes-dashboard-csrf" not found. Let's create the secret:

$ cat > kubernetes-dashboard-secret.yaml<<EOF
apiVersion: v1
kind: Secret
metadata:
  labels:
    app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
type: Opaque
data:
  csrf: ""
EOF

The last step it to apply all those resources and to install the dashboard:

$ kubectl apply -f kubernetes-dashboard-role.yaml -n default
$ kubectl apply -f kubernetes-dashboard-rolebinding.yaml -n default
$ kubectl apply -f kubernetes-dashboard-secret.yaml -n default

$ helm install --name dash \
    --namespace default \
    -f values-dashboard.yaml \
    stable/kubernetes-dashboard

You can go ahead and check if the dashboard works as expected. If you try to list namespaces or check cluster-wide resources, you will get the namespaces is forbidden error message, which is what you wanted to achieve by running it per namespace.

Of course, you could edit the current role and role binding that is created by the helm chart instead of creating additional ones. I don't like to do it that way though.

Summary

I don't track what is happening with the Kubernetes Dashboard project itself, but since I don't see a new version for months, I think that project will no longer be maintained. So, if you have some ideas or other projects to recommend to accomplish the same goal, please write on twitter.