我创建了一个集群角色“try-usr”
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: try-usr
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
在访问Web UI(仪表板)时,它会抛出错误,如下所示:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"xyz\" cannot get services/proxy in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
1 回答
根据kubernetes版本,the dashboard will require different permissions according to the docs
v1.7
创建并监视kube-system命名空间中所需秘密的权限 - 创建并监视kubernetes-dashboard-key-holder秘密的更改 .
获取,更新和删除kube-system命名空间中名为kubernetes-dashboard-key-holder和kubernetes-dashboard-certs的机密的权限 .
对kube-system命名空间中的heapster服务的代理权限,允许从heapster获取指标 .
v1.8
为创建kubernetes-dashboard-key-holder秘密所需的kube-system命名空间中的机密创建权限 .
获取,更新和删除kube-system命名空间中名为kubernetes-dashboard-key-holder和kubernetes-dashboard-certs的机密的权限 .
获取并更新kube-system命名空间中名为kubernetes-dashboard-settings的配置映射的权限 .
对kube-system命名空间中的heapster服务的代理权限,允许从heapster获取指标 .