Issue Background: With an Azure Kubernetes Service deployment (version 1.17.9) in my dev environment, I launch the Kubernetes Dashboard application and I can’t see any Kubernetes resources and I get the following error notification
clusterroles.rbac.authorization.k8s.io is forbidden: User “clusterUser” cannot list resource “clusterroles” in API group “rbac.authorization.k8s.io” at the cluster scope
I am attempting to list resources as the user clusterUser.
Resolution:
kubectl describe clusterrolebinding kubernetes-dashboard
Name: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount kubernetes-dashboard kube-system
We see that the clusterUser does not have permissions defined in the cluster role binding
kubectl delete clusterrolebinding kubernetes-dashboard
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard --user=clusterUser
kubectl describe clusterrolebinding kubernetes-dashboard
Now we see the cluster role is included in the clusterrolebinding.
Upon browser reload, we get expected outcome:
Some simplified definitions:
The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding.
- Role always sets permissions within a particular namespace
- ClusterRole sets permissions for non-namespaced and cluster-wide resources.
- Role Binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted.
- ClusterRoleBinding grants permissions to cluster wide resources
References:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Roy Kim on Azure and Microsoft 365 
Thank you for sharing. It worked for me. I am using AKS version 1.17.11
WORKS FOR ME!! You the man, Canada is the best