How-to Grant Read-Only Access to the Kubernetes Dashboard

Problem

A read-only access role needs to be created for access to the Kubernetes Web UI (Dashboard).

Environment

• Platform9 Managed Kubernetes - All Versions
• Kubernetes Web UI (Dashboard)

Procedure

1. Create a service account in the default or any other namespace of your choice.

xxxxxxxxxx

# kubectl create sa [name of serviceaccount] -n [namespace]

2. Create a cluster role with get, list, and watch verbs.

# cat [<EOF | kubectl apply -f -] ---> apiVersion: rbac.authorization.k8s.io/v1> kind: ClusterRole> metadata:>   name: [clusterrole name]> rules:> - apiGroups: ["*"]>   resources: ["*"]>   verbs: ["get", "list", "watch"]> EOF

3. Create a clusterrolebinding for the above clusterrole and serviceaccount.

# kubectl create clusterrolebinding [name] --serviceaccount=[namespace:serviceaccount name] --clusterrole=[clusterrole name]

4. Describe the serviceaccount resource (created above).

xxxxxxxxxx

# kubectl describe serviceaccount [service account name] -n [namespace]

5. Extract the token value from the secret specified for the serviceaccount resource (above output).

xxxxxxxxxx

# kubectl get secret [secret-name] -o jsonpath="{.data.token}" | base64 --decode && echo ''

The token value may then be used to login to the Kubernetes Dashboard with read-only privileges.