Home - About me - Browse by categories

How to access Kubernetes dashboard on an Azure Kubernetes Service cluster with RBAC enabled

29 Aug 2018 in Kubernetes | Microsoft Azure

RBAC (Role Based Access Control) is enabled by default when you deploy a new Azure Kubernetes Service cluster, which is great. But if you are not use to that, you may have some trouble to access the Kubernetes dashboard using kubectl proxy or az aks browse command line tools (remember to never expose the dashboard over the Internet, even if RBAC is enabled!).

In this post, I will explain how you can simply configure RBAC on your cluster to solve authorization access issues.

So, you’ve deployed your Azure Kubernetes Service cluster, everything went well, you may even have deployed your first workloads on it. Now it’s time to launch the dashboard and you got something like that:

Kubernetes Dashboard - No Access

Don’t panic. This is the normal behavior. As your cluster is RBAC-enabled, by default the pod that runs the dashboard has a minimal role bound to its service account:

kubectl describe role kubernetes-dashboard-minimal -n kube-system

Name:         kubernetes-dashboard-minimal
Labels:       addonmanager.kubernetes.io/mode=Reconcile
              k8s-app=kubernetes-dashboard
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"Role","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","k...
PolicyRule:
  Resources       Non-Resource URLs  Resource Names                   Verbs
  ---------       -----------------  --------------                   -----
  secrets         []                 []                               [get update create delete]
  configmaps      []                 [kubernetes-dashboard-settings]  [get update]
  services/proxy  []                 [heapster]                       [get]
  services/proxy  []                 [http:heapster:]                 [get]
  services/proxy  []                 [http:metrics-server:]           [get]
  services/proxy  []                 [https:heapster:]                [get]
  services/proxy  []                 [https:metrics-server:]          [get]
  services/proxy  []                 [metrics-server]                 [get]
  services        []                 [heapster]                       [proxy]
  services        []                 [metrics-server]                 [proxy]

If you want to make sure the Kubernetes dashboard can access all the resources in the cluster, you can simply create a ClusterRoleBinding object to bind the cluster-admin role to the service account that runs the Kubernetes dashboard pod, using the following command:

kubectl create clusterrolebinding kubernetes-dashboard \
    --clusterrole=cluster-admin \
    --serviceaccount=kube-system:kubernetes-dashboard

Once this command applied, just hit refresh in your browser and you should have a Kubernetes dashboard up and running with no access error messages anymore:

Kubernetes Dashboard - Cluster Admin

OK, this is great. But now, you should know that the Kubernetes dashboard pod can do anything a cluster administrator can do. This can be fine with your strategy. But you may also want to control a little bit more what happens here.

In that case, you can start from the minimal role definition here and add the rules that you want to be applied to the dashboard. While it’s done, just apply the yaml file again:

kubectl apply -f dashboard-rbac.yaml

Hope this helps!

Any question about this post? Feel free to drop a comment below or contact me on Twitter @jcorioland