DEV Community

Alex Robson
Alex Robson

Posted on

Local Kubernetes RBAC & Dashboard Setup

In my previous post, I showed how anyone could install a Kubernetes cluster locally using Canonical's microk8s.

This post picks up where the last ended. Before I start looking at deploying software to my local cluster, I need to do some additional configuration.

Note: I've aliased microk8s as m8s and microk8s kubectl as k8s.

Kubernetes Dashboard

The Kubernetes Dashboard is a web interface that makes discovery and simple observability straightforward. microk8s provides a dashboard package that you can install with:

m8s enable dashboard
Enter fullscreen mode Exit fullscreen mode

To view the dashboard, use the dashboard proxy command:

m8s dashboard-proxy
Enter fullscreen mode Exit fullscreen mode

To open the dashboard, ctrl+click the URL in the console. Bypass your browser's complaint that the certificate is invalid*, copy the token at the end of the output, and use that to authenticate when prompted in the browser.

Role-Based Authentication Control (RBAC)

What is it?

Though Kubernetes is usable without it, RBAC allows you to practice good security hygiene and work in an environment closer to production clusters.

If you're not familiar, RBAC consists of the following:

  • service accounts
  • roles
  • role bindings

Since you can bind multiple roles to a service account, this is a very flexible way to add or remove sets of permissions to an account.

Enabling RBAC

Enabling RBAC is simple:

microk8s enable rbac
Enter fullscreen mode Exit fullscreen mode

Fixing The Dashboard Account's Permissions

Installing RBAC and the dashboard will create a service account for kubernetes-dashboard. To see a list of service accounts that includes this new account, issue:

k8s get sa -n kube-system
Enter fullscreen mode Exit fullscreen mode

To see the other RBAC resources created for us to make the dashboard accessible, issue the following:

Lists Cluster Roles

k8s get clusterroles -n kube-system | grep dashboard
Enter fullscreen mode Exit fullscreen mode

Lists Role Bindings

k8s get clusterrolebindings -n kube-system | grep dashboard
Enter fullscreen mode Exit fullscreen mode

Unfortunately, the permissions granted to the kubernetes-dashboard account through the cluster role kubernetes-dashboard are so restrictive that we won't get much visibility into what's already there.

Rather than dive into the specifics of each manifest, I've put a new clusterrole, clusterrole-binding, and token file into a gist you can use to:

  1. Create a new cluster role named kubernetes-dashboard-readonly
  2. Create a cluster role binding named kubernetes-dashboard-readonly
  3. Create an authentication token for the kubernetes-dashboard account

Save the contents of the gist to ./read-only-dashboard.yml and then run the command:

k8s create -f ./read-only-dashboard.yml
Enter fullscreen mode Exit fullscreen mode

To retrieve the token for login with the kubernetes-dashboard use:

k8s describe secrets -n kube-system kubernetes-dashboard-token
Enter fullscreen mode Exit fullscreen mode

Copy the value following token and use this to log into the dashboard. The first sign of success is that the namespaces drop-down in the top bar has more than default.

Help With Custom Roles

Finding a list of the available API groups and their related resources with their allowed verbs has been a headache. There is a built-in command that will provide a tab-delimited table:

k8s api-resources -o wide
Enter fullscreen mode Exit fullscreen mode

To make this easier to consume (for myself), I put this in a Google Sheet and sorted it by the API Group and Resource Name columns. You can view it here.

Up Next

In my next post, I plan to add the Kubernetes Ingress NGINX Controller and demonstrate how this creates a reverse proxy and load balancer for services we may want to expose outside the cluster.

*Known Issues With Self-Signed Certificate

Following these directions on a machine that does not allow you to proceed to an HTTPS URL with a self-signed certificate will prevent you from viewing the dashboard.

In the next post, I'll look at ways to get a valid certificate for an ingress controller.


Gist: Read-only Dashboard Role

Kubernetes API Groups and Resources

Further Reading

Using RBAC Authorization

Top comments (0)