Cannot View Workloads Tab as Non-admin about skooner HOT 6 OPEN

@herbrandson Just to help clear up some confusion, it currently doesn't quite work. See screenshot below:

The user "max" has permission to only access the "max" namespace, and to list all namespaces in the cluster.

Even though the user has full access to their "max" namespace, the "workloads" tab on the lhs is missing. That tab should still be there but be restricted to the "max" namespace (it doesn't have to be explicit, just fail if they select any other namespace from the drop down).

A huge bonus, however, would be if I didn't even have to assign them permissions to list namespace in the cluster, because I would prefer to keep secret from a user the existence of namespaces that they don't have permission to access. This currently doesn't work well even on the official dashboard because if the user doesn't have the "list all namespaces in the cluster" namespace they can't even see namespaces to which they have permission. On official dashboard they can still type the namespace name into the dropdown if they want it, but on k8dash it actually hides the namespace tab and the user can't do anything. The only way to implement this would be to have an auxiliary service account that could get the full list of namespaces and test if the logged in user has access. This is asking a lot though and its definitely not a critical thing to have

from skooner.

Joining to @reddog335 question. When k8dash is loaded, it queries apis/authorization.k8s.io/v1/selfsubjectrulesreviews to acknowledge actual cluster privileges. Then, if the user has cluster-wide rights for pods, deployments, replica/stateful/daemon-sets, jobs etc., k8dash queries api for these objects, without filtering by namespace until user clicks the 'Workloads' pane and selects a namespace through the drop-down menu.

So the goal is to be able to view 'Workloads' page with minimal cluster-wide rights. Specifically, verbs:list/resources:namespaces should be enough to select any namespace to which user has actual view/edit namespace-wide rights.

from skooner.

Hey @reddog335. Thanks for the question. Permissions are entirely managed by K8S, so I'm not sure of the role you need off hand. But, if you look at the browsers networking tab you should be able to see the calls that are failing. From there we should be able to figure out what roles are needed from the K8S docs. Do you mind posting the calls that are failing?

from skooner.

@mmorev @herbrandson Thank you both for your responses. My goal is to only allow the developers to see the kubernetes objects in their namespace, I do not want them to be able to list pods in other namespaces. If I understood @mmorev's response correctly, it doesn't sound like this is a supportable scenario.

from skooner.

@reddog335 Developers will not be able to see pods that are in namespaces they don't have permissions to. I believe this should already work exactly how your wanting :)

from skooner.

@herbrandson for better understanding.
Expected behavior: user with "view", "edit" or "admin" roleBinding in namespace "N" logs into k8dash see "Workloads" button in left menu, and any pods, daemon/replica/statefulsets in namespace "N".
Actual behavior: user with "admin" or even "cluster-admin" roleBinding in namespace "N" logs into k8dash and sees nothing but "Cluster" and "Profile" buttons in left menu, and no any links under "Cluster".

Remark: to be able to select exact namespace in Workloads page, the user should have clusterRoleBinding with list namespaces rights. So the most possible scenario I see for such user, is to open Workloads page and select exact namespace in drop-down menu.

from skooner.