Even though I'm not Kubernetes Dashboard user, I understand why for most people this is the easiest way to interact with their apps running on top of Kubernetes. If you are interacting with it daily or managing the cluster itself, you are probably more fine with CLI aka kubectl. Kubernetes Dashboard is easy to install, but you might want to have it per namespace to limit what users can do. Let's see how to install and configure it for this scenario.
If you check for most tutorials on how to install the dashboard, it uses cluster admin role which means that anyone who can access it, is basically the cluster admin as well. Even if that is not the case, you probably want to limit users for touching anything that is not part of their namespace.
So, it makes sense to deploy the dashboard in the namespace where developers have their apps. Also, when deployed per namespace, you can give users all privileges for that particular namespace.
Installation and Configuration
The latest Kubernetes Dashboard stable release can't run in any namespace other than
kube-system. As of the time I'm writing this post, the latest stable version is
v1.10.1. However, namespace support is available in the master branch for quite some time.
Installing the dashboard is a pretty straightforward process. So, let's say you want to install it in the
default namespace. First, create a custom config for kubernetes-dashboard helm chart:
$ cat > values-dashboard.yaml<<EOF image: repository: kubernetesdashboarddev/kubernetes-dashboard-amd64 tag: 7fa1563213bdcc3deaff42183511a243d4c04268 extraArgs: - --system-banner="Test Cluster" - --namespace=default rbac: clusterAdminRole: false EOF
NOTE: You don't want to create any cluster-wide roles, and that is why I set
false. Also, if you have a single sign-on solution with ingress, then you can set
enableSkipLogin: true and
enableInsecureLogin: true to disable dashboard authentication.
If you try to install the dashboard at this point, you will get the following error:
panic: secrets "kubernetes-dashboard-csrf" is forbidden: User "system:serviceaccount:default:dash-kubernetes-dashboard" cannot get secrets in the namespace "default"
From this error, you can see that
dash-kubernetes-dashboard service account cannot list secrets in the default namespace. However, you can fix this by creating a new role. Here is the new role that fixes the above issue and also enables dashboard users almost all privileges in the particular namespace:
$ cat > kubernetes-dashboard-role.yaml<<EOF apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: dash-kubernetes-dashboard-master rules: - apiGroups: - "*" resources: - "*" verbs: - get - list - watch - describe - exec - update - delete - apiGroups: - "" resourceNames: - kubernetes-dashboard-csrf resources: - secrets verbs: - get - update - delete EOF
Also, role binding:
$ cat > kubernetes-dashboard-rolebinding.yaml<<EOF apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: dash-kubernetes-dashboard-master labels: app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dash-kubernetes-dashboard-master subjects: - kind: ServiceAccount name: dash-kubernetes-dashboard namespace: default EOF
NOTE: Set to a preferred namespace -
default in this case.
You need to create a
kubernetes-dashboard-csrf secret, as it won't be created automatically. The error message is
panic: secrets "kubernetes-dashboard-csrf" not found. Let's create the secret:
$ cat > kubernetes-dashboard-secret.yaml<<EOF apiVersion: v1 kind: Secret metadata: labels: app: kubernetes-dashboard name: kubernetes-dashboard-csrf type: Opaque data: csrf: "" EOF
The last step it to apply all those resources and to install the dashboard:
$ kubectl apply -f kubernetes-dashboard-role.yaml -n default $ kubectl apply -f kubernetes-dashboard-rolebinding.yaml -n default $ kubectl apply -f kubernetes-dashboard-secret.yaml -n default $ helm install --name dash \ --namespace default \ -f values-dashboard.yaml \ stable/kubernetes-dashboard
You can go ahead and check if the dashboard works as expected. If you try to list namespaces or check cluster-wide resources, you will get
the namespaces is forbidden error message, which is what you wanted to achieve by running it per namespace.
Of course, you could edit the current role and role binding that is created by the helm chart instead of creating additional ones. I don't like to do it that way though.
I don't track what is happening with the Kubernetes Dashboard project itself, but since I don't see a new version for months, I think that project will no longer be maintained. So, if you have some ideas or other projects to recommend to accomplish the same goal, please write on twitter.