Closed ledroide closed 4 years ago
The get
verb on the nodes/proxy
should be enough.
Could you run:
$ kubectl get --raw /api/v1/nodes/minikube/proxy/stats/summary --as <USER>
From the information you provided, it seems you run the command using --context=deployment-manager
while only the clusterrole-viewer
cluster role has the required permission.
Solved. Many thanks @astefanutti Maybe I'm not familiar with the role syntax : I authorized "nodes" resource but not explicitly "nodes/proxy" in my clusterrole-viewer. I thought it was globally implicit.
Here is the diff that makes my role allowing a user to get metrics usage :
@@ -17,6 +17,7 @@ rules:
- storage.k8s.io
resources:
- nodes
+ - nodes/proxy
- storageclasses
verbs:
- get
Closing the issue.
Thanks for the feedback. Indeed sub-resources have to be explicitly specified.
I would like to allow some users to use kubebox in order to set properly resources requests and limits - based on RBAC.
I have added many rights to their Roles, but I still have the message "Resources usage metrics unauthorized". I have not found in documentation which rights were necessary for kubebox, except nodes/proxy.
Of course I have checked :
Here are my manifests for the roles that I bind to users accounts:
Additional info :