kubernetes-app icon indicating copy to clipboard operation
kubernetes-app copied to clipboard

Published 20 hours ago verified publisher icon grafana

Permission list needed for kubernetes service user, if RBAC enabled

Open Timbus opened this issue 6 years ago • 7 comments

Hi. I tried to run this plugin on an existing kube+prometheus+grafana setup and noticed grafana needs additional permissions to complete the setup (specifically: list deployments.apps in the namespace "kube-system"). Would you guys be able to add an RBAC config to this repo? I can't really figure out what permissions this app needs beyond adding them one at a time, every time I get an error.

Timbus avatar Mar 19 '18 00:03 Timbus

@Timbus I'll look into adding one to this repo. If you ended up making one already a PR would greatly be appreciated.

jtlisi avatar Mar 21 '18 13:03 jtlisi

Unfortunately I ended up applying a very broad policy, essentially 'read/list all'. I can't recommend it.

I guess the only API calls would be coming from the Kube Datasource, no? So if there was a way to list all of the calls being made, a reasonable RBAC config could be built from it.

Timbus avatar Mar 21 '18 23:03 Timbus

+1

caiohasouza avatar Apr 28 '18 20:04 caiohasouza

I'm using this config for our grafana integration:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: grafana
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["componentstatuses"]
  verbs: ["get", "list"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: grafana

snakecharmer avatar Apr 28 '18 22:04 snakecharmer

Hi @snakecharmer

Cool, i use this config but i need add "nodes" permitions:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: grafana
rules:
- apiGroups: [""]
  resources: ["pods", "nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["componentstatuses"]
  verbs: ["get", "list"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: grafana

Thank you!

caiohasouza avatar May 01 '18 15:05 caiohasouza

How are you solving the problem that the plugin doesn't use the auth token? eg:

curl -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k https://100.64.0.1/api/v1/nodes

this works fine.. in the container.. but Grafana still 401's. So my assumption is, it is not adding the header.

jurgenweber avatar Jun 16 '19 23:06 jurgenweber

I definitely need this. I just tested kubernetes-app and your documentation lacks information about RBAC. Please add some yamls for easy manual deployment (not only ClusterRole object, but all other necessary objects). It will be very helpful and you save a lot of time of your users.

phidlipus avatar Jul 02 '19 15:07 phidlipus