kubernetes dashboard kubernetes-security

Restricted Kubernetes dashboard?

Is it possible to have a restricted Kubernetes dashboard? The idea is to have a pod running kubectl proxy in the cluster (protected with basic HTTP authentication) to get a quick overview of the status:

Log output of the pods
Running services and pods
Current CPU/memory usage

However, I do not want users to be able to do "privileged" actions, like creating new pods, deleting pods or accessing secrets.

Is there some option to start the dashboard with a specified user or with restricted permissions?

Solution

It should be possible in kubernetes with RBAC enabled. You do not need to run a pod with kubectl proxy. I'm not sure whether it is possible to have 2 different sets of permissions for the same pod, but worst case you have to run 2 dashboards.

Basically, what you need to do is:

deploy dashboard in your cluster with read-only permissions in RBAC
expose your running dashboard service
add ingress with basic HTTP auth

How to list kubernetes services in k9s?
Connecting K8s and Nomad using a single Consul Server (DC1). Is this even possible or what is the next best way to do so?
What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?
Helm chart. I cannot send a command to the container via --set
is it possible to shrink the spaces of io.containerd.snapshotter.v1.overlayfs folder in kubernetes
Cannot connect to Kubernetes NodePort Service
ArgoCd does not trigger on GitOps repo update?
How add JAVA_OPTS variable to wildfly by kubernetes yaml file?
Is there a way to enable shareProcessNamespace for helm post-install hook?
Helm Template Indention Error Using Dict Split and Range
How to use kubernetes secrets in nodejs application?
When PersistentVolumes are deleted on kubernetes?
How do reclaim policys for persistent storage work in Kubernetes?
Printing not being logged by Kubernetes
Can't create Secret in Kubernetes: illegal base64 data at input
Kubernetes - create secret with a label using cli in a single line
How do I find the join command for kubeadm on the master?
How to check ephemeral storage that is allocated to EKS node
How to enter a pod as root?
Access Denied on vault secrets
Is there a way to generate a helm install script from a ConfigMap?
Kubernetes - pod has unbound immediate PersistentVolumeClaims
How to delete all resources from Kubernetes one time?
Extract Only Secret Values with EKS + Vault CSI Provider
ActiveMQ Artemis master (primary) pod goes to restart loop after change to shared-store HA option
Unable to connect to the server: getting credentials: exec: executable kubelogin not found
Delete kubernetes node pull with Terraform without cluster recreating
Unable to add Grafana Loki datasource in Kubernetes
Best practice spread pod across the node evenly
kubectl : --dry-run is deprecated and can be replaced with --dry-run=client