Read only user for Kubernetes Dashboard

Readonly user for Kubernetes Dashboard.md

The view ClusterRole doesn’t actually have permissions for the Cluster level objects like Nodes and Persistent Volume Claims. So we’ll have to create a new RBAC config.

First, we’ll create a new dashboard-viewonly ClusterRole:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dashboard-viewonly
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - volumeattachments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - clusterroles
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dashboard-viewonly
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system

Now we’ve configured a readonly dashboard we can safely share with people that dont even have K8S cluster access. This RBAC config does NOT grant access to Secrets, just to be a little safe.

In the Web Browser Login view when prompted to give Token or kubeconfig then just press SKIP to view readonly dashboard.

What version of the dashboard are you using, @karthik101?

I've tried to accomplish a read-only view several times, using yours and other ClusterRoles and ClusterRoleBindings, but they will always still let me create and delete resources (I test with creating and then destroying a namespace). I'm using Dashboard 2.0.1.

I am also Having the same issue , Readonly user is still able to edit,delete, create. I'm using Dashboard 2.0.1.

@Sjnahak I'm curious what platform you are testing this on. Yesterday I found that the read-only user had full CRUD capabilities while running on Docker for Desktop (Mac), but when I deployed it to our AWS EKS cluster, it worked fine. So I'm wondering if there is something else going on here in the platform itself.

It is working , I miss interpreted when I saw edit access but operation get denied.

For folks using terraform:

resource "kubernetes_cluster_role" "readonly" {
  metadata {
    name = "dashboard-viewonly"
  }

  rule {
    api_groups = [""]
    resources  = ["configmaps","endpoints","persistentvolumeclaims","pods","replicationcontrollers","replicationcontrollers/scale","serviceaccounts","services","nodes","persistentvolumeclaims","persistentvolumes"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = [""]
    resources  = ["bindings","events","limitranges","namespaces/status","pods/log","pods/status","replicationcontrollers/status","resourcequotas","resourcequotas/status"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["apps"]
    resources  = ["daemonsets","deployments","deployments/scale","replicasets","replicasets/scale","statefulsets"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["autoscaling"]
    resources  = ["horizontalpodautoscalers"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["batch"]
    resources  = ["cronjobs","jobs"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["extensions"]
    resources  = ["daemonsets","deployments","deployments/scale","ingresses","networkpolicies","replicasets","replicasets/scale","replicationcontrollers/scale"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["policy"]
    resources  = ["poddisruptionbudgets"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["networking.k8s.io"]
    resources  = ["networkpolicies"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["storage.k8s.io"]
    resources  = ["storageclasses", "volumeattachments"]
    verbs      = ["get", "list", "watch"]
  }

  rule {
    api_groups = ["rbac.authorization.k8s.io"]
    resources  = ["clusterrolebindings", "clusterroles","roles","rolebindings"]
    verbs      = ["get", "list", "watch"]
  }
}

resource "kubernetes_cluster_role_binding" "readonly" {
  metadata {
    name = "kubernetes-dashboard"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "dashboard-viewonly"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "kubernetes-dashboard"
    namespace = "kube-system"
  }
}

It is working , I miss interpreted when I saw edit access but operation get denied.

I am still able to Delete/edit yaml from kubernetes-dashboard. How do you disabled that ?

@Gupta-Amrit R u able to submit the request after editing ?
Also what is token you are using to login to kubernetes dashboard ? it should be of viewonly service account.

@karthik101 @patrickgardella @Sjnahak I'm using Dashboard 2.0.3, and followed the above yaml file but I am still able to delete/edit yaml file and able to use create button(top right corner) with any yaml/json file. The only thing which is not working is the scale option. Could anyone of you tell me, if any other steps are required ?

@Gupta-Amrit R u able to submit the request after editing ?
Also what is token you are using to login to kubernetes dashboard ? it should be of viewonly service account.

yes, I am able to submit the request and it is updating the deployment. Also I have enable skip login button and not using any token but I also tried with view only service account and it is able to update the deployments

Can confirm that I am able to access secrets freely!

I tested it recently on k8s- v1.18.3 and Dashboard- v2.0.1, Dashboard has read only access.

Do not copy and apply blindly. Check its api, rules, serviceAccount it uses and namespace where your dashboard pod runs. Edit accordingly with your requirerments in clusterrole

I am not able to see ingresses in the dashboard.

@pakuma1

I am not able to see ingresses in the dashboard.

The ingresses are no longer under the extensions api group. This works:

- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch

Hi,
Not getting any option to skip login. How to generate the token for dashboard view only.