1

I am fairly new to kubernetes and I am trying to create normal users that will have limited access to their specific namespace.

I have followed the documentation Certificate Signing Requests/Normal user and I have successfully create a test-user and I am able to restrict the privileges of the user. I am trying to understand if I can provide access to the Dashboard for this user and only being able to see his own resources e.g. only his namespace.

Through my process I found all the documentation mentioning that you need to have a service account in order to access the Dashboard Creating sample user.

Then I kept reading that service accounts Managing Service Accounts. "User accounts are for humans. Service accounts are for processes, which run in pods."

In a relevant question in the community Is there a way to create a token for a normal user in Kubernetes?. Again the answer to this question was to create a service account, but as it is documented on the official documentation we should be using service accounts for processes that are running on pods.

I am a bit confused on this topic can someone share the best practices and maybe a bit more information if a user (non admin) should be able to have access to Dashboard and view the same resources as unde the role binded with him?

Thanos
  • 1,618
  • 4
  • 28
  • 49
  • Are you asking about [Static Token File](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file) ? Or you want to Login to Kubernetes Dashboard using `Authorization header`: sing authorization header is the only way to make Dashboard act as an user, when accessing it over HTTP. – PjoterS Dec 15 '20 at 13:34

1 Answers1

1

The most common way to create bearer token and connect to Kubernetes Dashboard is to use ServiceAccount.

However, if you want to create Bearer Token for User Account you have to use Static Token File according to my knowledge.

In scenario, where you want to allow user account access to Kubernetes Dashboard you have to consider using Authorization header option.

Using authorization header is the only way to make Dashboard act as an user, when accessing it over HTTP. Note that there are some risks since plain HTTP traffic is vulnerable to MITM attacks.

To make Dashboard use authorization header you simply need to pass Authorization: Bearer in every request to Dashboard. This can be achieved i.e. by configuring reverse proxy in front of Dashboard. Proxy will be responsible for authentication with identity provider and will pass generated token in request header to Dashboard. Note that Kubernetes API server needs to be configured properly to accept these tokens.

For testing purpose you can use plugin which allows you to modify request headers.

Side Note

Authorization header will not work if Dashboard is accessed through API server proxy. Both kubectl proxy and API Server way of accessing Dashboard described in Accessing Dashboard guide will not work. It is due to the fact that once request reaches API server all additional headers are dropped.

Example of reverse proxy is Kublr. Better description you can find in Leveraging Client Certificates and Bearer Tokens to Authenticate in Kubernetes blog.

PjoterS
  • 12,841
  • 1
  • 22
  • 54
  • I see thanks a lot for the explanation. I was also thinking that since Dashboard is an app then it is kind of one way to create service accounts instead of user accounts. The analysis is very useful thanks a lot :) – Thanos Dec 16 '20 at 12:10