Issue Background: With an Azure Kubernetes Service deployment (version 1.17.9) in my dev environment, I launch the Kubernetes Dashboard application and I can’t see any Kubernetes resources and I get the following error notification
clusterroles.rbac.authorization.k8s.io is forbidden: User “clusterUser” cannot list resource “clusterroles” in API group “rbac.authorization.k8s.io” at the cluster scope
I am attempting to list resources as the user clusterUser.
kubectl describe clusterrolebinding kubernetes-dashboard
Name: kubernetes-dashboard Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount kubernetes-dashboard kube-system
We see that the clusterUser does not have permissions defined in the cluster role binding
kubectl delete clusterrolebinding kubernetes-dashboard kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard --user=clusterUser kubectl describe clusterrolebinding kubernetes-dashboard
Now we see the cluster role is included in the clusterrolebinding.
Upon browser reload, we get expected outcome:
Some simplified definitions:
The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding.
- Role always sets permissions within a particular namespace
- ClusterRole sets permissions for non-namespaced and cluster-wide resources.
- Role Binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted.
- ClusterRoleBinding grants permissions to cluster wide resources