dashboard
dashboard copied to clipboard
Published
20 hours ago •
gardener
gardener
Restrict permissions of dashboard's service user to garden cluster
Currently, the dashboard has cluster-admin privileges which is not necessary.
We should create a new dashboard role that only contains the necessary privileges.
These should be the required privileges for the dashboard. We have to split the dashboard chart into application and runtime chart, similar like with the gardener charts (ref)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gardener-dashboard-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- core.gardener.cloud
resources:
- quotas
verbs:
- list
- watch
- apiGroups:
- core.gardener.cloud
resources:
- projects
verbs:
- list
- watch
- apiGroups:
- core.gardener.cloud
resources:
- shoots
verbs:
- list
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- apiGroups:
- core.gardener.cloud
resources:
- controllerregistrations
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
resourceNames:
- cluster-identity
# terminal bootstrapping and #943
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
# terminal bootstrapping
- apiGroups:
- core.gardener.cloud
resources:
- shoots
verbs:
- get
this issue is blocked until gardener/monitoring#11 is resolved
this is now tracked in https://github.com/gardener/dashboard/issues/1338
The permissions of the dashboard user are restricted with https://github.com/gardener/dashboard/pull/1283 /close