Comments (6)
@herbrandson Just to help clear up some confusion, it currently doesn't quite work. See screenshot below:
The user "max" has permission to only access the "max" namespace, and to list all namespaces in the cluster.
Even though the user has full access to their "max" namespace, the "workloads" tab on the lhs is missing. That tab should still be there but be restricted to the "max" namespace (it doesn't have to be explicit, just fail if they select any other namespace from the drop down).
A huge bonus, however, would be if I didn't even have to assign them permissions to list namespace in the cluster, because I would prefer to keep secret from a user the existence of namespaces that they don't have permission to access. This currently doesn't work well even on the official dashboard because if the user doesn't have the "list all namespaces in the cluster" namespace they can't even see namespaces to which they have permission. On official dashboard they can still type the namespace name into the dropdown if they want it, but on k8dash it actually hides the namespace tab and the user can't do anything. The only way to implement this would be to have an auxiliary service account that could get the full list of namespaces and test if the logged in user has access. This is asking a lot though and its definitely not a critical thing to have
from skooner.
Joining to @reddog335 question. When k8dash is loaded, it queries apis/authorization.k8s.io/v1/selfsubjectrulesreviews to acknowledge actual cluster privileges. Then, if the user has cluster-wide rights for pods, deployments, replica/stateful/daemon-sets, jobs etc., k8dash queries api for these objects, without filtering by namespace until user clicks the 'Workloads' pane and selects a namespace through the drop-down menu.
So the goal is to be able to view 'Workloads' page with minimal cluster-wide rights. Specifically, verbs:list/resources:namespaces should be enough to select any namespace to which user has actual view/edit namespace-wide rights.
from skooner.
Hey @reddog335. Thanks for the question. Permissions are entirely managed by K8S, so I'm not sure of the role you need off hand. But, if you look at the browsers networking tab you should be able to see the calls that are failing. From there we should be able to figure out what roles are needed from the K8S docs. Do you mind posting the calls that are failing?
from skooner.
@mmorev @herbrandson Thank you both for your responses. My goal is to only allow the developers to see the kubernetes objects in their namespace, I do not want them to be able to list pods in other namespaces. If I understood @mmorev's response correctly, it doesn't sound like this is a supportable scenario.
from skooner.
@reddog335 Developers will not be able to see pods that are in namespaces they don't have permissions to. I believe this should already work exactly how your wanting :)
from skooner.
@herbrandson for better understanding.
Expected behavior: user with "view", "edit" or "admin" roleBinding in namespace "N" logs into k8dash see "Workloads" button in left menu, and any pods, daemon/replica/statefulsets in namespace "N".
Actual behavior: user with "admin" or even "cluster-admin" roleBinding in namespace "N" logs into k8dash and sees nothing but "Cluster" and "Profile" buttons in left menu, and no any links under "Cluster".
Remark: to be able to select exact namespace in Workloads page, the user should have clusterRoleBinding with list namespaces rights. So the most possible scenario I see for such user, is to open Workloads page and select exact namespace in drop-down menu.
from skooner.
Related Issues (20)
- Add support for user/group impersonation
- The install instructions are broken. HOT 6
- CVE-2021-44906
- CVE-2022-37434
- Enhancement: allow for skipping the login screen HOT 2
- OIDC authorization error: 400 bad request HOT 4
- Need to enable https in skooner HOT 4
- Where are the helm charts? HOT 8
- Up and running with oidc via Dex - metrics URLs return 403s HOT 2
- Bug: RAM Request/Limits calculation is incorrect. HOT 1
- Auth Token HOT 7
- OIDC api is failing . Due to internal error
- How to troubleshoot OIDC issues? HOT 2
- Skooner not displaying Deployments HOT 1
- Running skooner with subpath HOT 1
- Does Skooner support OIDC PKCE Auth HOT 3
- Pods: Ready vs Requested should exclude pods in Succeeded state HOT 1
- kubernetes-skooner.yaml does not declare any CPU/RAM request HOT 1
- Can Skooner base path be changed from / ? HOT 2
- Skooner erroring all of a sudden HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skooner.