How to restrict the access of user while accessing the dashboard of AKS
In the documentation of AKS, in order to sort out the access restriction in the system with RBAC enabled, it guides to bind the service account ‘kubernetes-dashboard’ with the role ‘cluster-admin’ directly. This brings some security concerns. For example, everyone who has access to the dashboard will have access to all resources within the cluster.
To restrict the access of user who has access to the dashboard, you may try below.
Please note the access restriction is mainly for human user which means either you need to integrate your AKS with Azure AD or configure the RBAC for human user with the approach i mentioned in previous article.
Scenario1:
AKS integrated with Azure AD
- Follow the instruction mentioned in the link to modify the parameter of your deploy ‘kubernetes-dashboard’
2. Create a role like below and create a rolebinding to associate the user and below role
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: kube-systemname: dashboard-readerrules:- apiGroups: [""] # "" indicates the core API groupresources: ["pods", "pods/portforward"]verbs: ["get", "list", "create"]
This will enable the user to access the pod of ‘kubernetes-dashboard’
3. Run ‘az aks browse’ to access the dashboard.
There will be a tmp kubeconfig file downloaded to your system and request you to login to Azure AD first.
After this, you will be able to see the login view of the dashboard like below.
4. Open the tmp kubeconfig file and input the ‘access token’ to the ‘Token’ in the web.
5. You should be able to view the dashboard web page. However, if the user doesn’t have access to the resources within cluster, it will give you some ‘forbidden’ error. You need to configure the RBAC access of user to access the resources separately.
Scenario2:
AKS without integration of Azure AD
The steps are almost the same but there are two different things whcih need to mention.
- Since we use certificate to authenticate with k8s apiserver which doesn’t have a token for login, we need to create a service account(maybe has the same name as the user) with the same rolebinding as the user and then use the token to login.
kubectl get secret
kubectl get secret <test-token> -o jsonpath='{.data.token}'|base64 -d2. Since the user only have the kubeconfig we distribute and doesn’t have the access to the ‘az aks get-credentials’, the user needs to run below to login
Kubectl proxyAccess from browser
http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/overview?namespace=defaultorhttp://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Reference:
https://github.com/MicrosoftDocs/azure-docs/issues/23789#issuecomment-485010803
