Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update docs to cover RBAC changes in K8S 1.6 #1803

Closed
floreks opened this issue Mar 31, 2017 · 12 comments

Comments

Projects
None yet
7 participants
@floreks
Copy link
Member

commented Mar 31, 2017

As mentioned in #1800. We should add some info to our documentation that because of changes in kubernetes 1.6 users that want to enable RBACs should configure them first to allow dashboard access to api server.

@stevenbower

This comment has been minimized.

Copy link

commented Apr 2, 2017

a temporary workaround to make it work:

# Create the clusterrole and clusterrolebinding:
# $ kubectl create -f kube-dashboard-rbac.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

This is clearly giving a ton of perms to the default user and is probably very bad idea for systems beyond just playing around.

@m4r10k

This comment has been minimized.

Copy link

commented Apr 4, 2017

I stumbled over the same documentation problem and the same issue as in #1806. Any real solution yet?

@floreks

This comment has been minimized.

Copy link
Member Author

commented Apr 4, 2017

@kleinsasserm We could prepare some basic Roles and new SA for dashboard but it's really up to the user how he wants to configure authorization layer in his cluster. He might want to make dashboard read only and block create/update permissions or just give full permissions.

I will prepare additional yaml that will work with out of the box 1.6 cluster but it will grant all permissions that dashboard needs to be fully operational.

For now I'd recommend to read RBAC related documentation and configure it on your own.

@m4r10k

This comment has been minimized.

Copy link

commented Apr 4, 2017

What I want to tell is, that the documentation (https://kubernetes.io/docs/user-guide/ui/, https://github.com/kubernetes/dashboard) is misleading -> there is not a single word about RBAC. It just does not work. RBAC is really OK and your suggestion also but I think it would be helpful and enough if you include an example on how to set a new SA, a role for dashboard and how to use them (yaml). Pointing to the RBAC docs, which are mostly abstract and that is also OK for technical purpose, without a useful example is a little bit ping-pong play, because once again the current documentation is not working. Oh, if you want I can test it and thank you for your support!

@floreks

This comment has been minimized.

Copy link
Member Author

commented Apr 5, 2017

@maciaszczykm

This comment has been minimized.

@lenartj

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2017

As a workaround I've a created a ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard
  namespace: kube-system

Made that account a cluster-admin:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: dashboard
  namespace: kube-system

And modified the Pod template in the kubernetes-dashboard Deployment:

spec:
  template:
    spec:
      serviceAccountName: dashboard

Probably the easiest to do via kubectl edit deploy -n kube-system kubernetes-dashboard

Hope it helps someone..

@maciaszczykm maciaszczykm added kind/bug and removed area/docs labels Apr 18, 2017

@floreks

This comment has been minimized.

Copy link
Member Author

commented Apr 18, 2017

@lenartj you are welcome to create a PR and add additional dashboard yaml that is compliant with kubernetes 1.6. If you don't have time we can do it for you.

floreks added a commit that referenced this issue Apr 19, 2017

Updated deployment files for 1.6 (#1856)
* Added deployment file for 1.6

- Added a ServiceAccount for kubernetes-dashboard and created a
  ClusterRoleBinding to cluster-admin (#1803)
- Updated the toleration to node-role.kubernetes.io/master
- Moved the toleration from the annotations into spec

* Clarified the reason for the new deployment file

- Renamed to kubernetes-dashboard-with-rbac.yaml
- Added comment in the yaml
- Added app labels for ServiceAccount and ClusterRoleBinding

* Added instructions for kubernetes-dashboard-with-rbac.yaml

* Fixed typo in README.md

* Updated/added -head deployments

* Fixed typos in -head deployments

* Saved current deployment files to -no-rbac

* Updated main deployment files with the RBAC versions

* Updated docs with legacy deployment files

* Fixed typo in README.md
@maciaszczykm

This comment has been minimized.

Copy link
Member

commented Apr 19, 2017

Done in #1856.

@aschofie

This comment has been minimized.

Copy link

commented Oct 10, 2017

Speaking as a developer setting up their first kubernetes cluster from scratch (and having no prior experience with kubernetes), I Agree with @kleinsasserm that the documentation is at the very least misleading. As of 1.8 though it seems that RBAC is the norm, and there is no possibility that just doing:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

with the current version will work, given a fresh kubernetes cluster, so the documentation might also be considered for promotion to flat out wrong.

Kudos to @lenartj for the workaround. For an updated version if you drop this in the existing kubernetes-dashboard.yaml it should work:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-rb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
@floreks

This comment has been minimized.

Copy link
Member Author

commented Oct 10, 2017

Of course Dashboard will work if you use this command. You won't have access if you do not log in but Dashboard will work just fine. Everything is described on our wiki pages. Giving admin permissions to Dashboard also.

@AssafKatz3

This comment has been minimized.

Copy link

commented Dec 4, 2017

Maybe I missed something, but for version 1.6 (1.6.7 at least), I don't see any solution here...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.