Resources usage metrics unauthorized

[ledroide]

I would like to allow some users to use kubebox in order to set properly resources requests and limits - based on RBAC.

I have added many rights to their Roles, but I still have the message "Resources usage metrics unauthorized". I have not found in documentation which rights were necessary for kubebox, except nodes/proxy.

Of course I have checked :

$ kubectl auth can-i get nodes/proxy --context=deployment-manager
yes
$ kubectl auth can-i get podmetrics --context=deployment-manager
yes
$ kubectl describe podmetrics database-0 --context=deployment-manager
Name:         database-0
Namespace:    iam
Labels:       <none>
Annotations:  <none>
API Version:  metrics.k8s.io/v1beta1
Containers:
  Name:  metrics
  Usage:
    Cpu:     12979029n
    Memory:  15716Ki
  Name:      mariadb-galera
  Usage:
    Cpu:     12115500n
    Memory:  576096Ki
Kind:        PodMetrics
Metadata:
  Creation Timestamp:  2019-10-08T13:09:34Z
  Self Link:           /apis/metrics.k8s.io/v1beta1/namespaces/iam/pods/database-0
Timestamp:             2019-10-08T13:08:46Z
Window:                30s
Events:                <none>

Here are my manifests for the roles that I bind to users accounts:

---
# This ClusterRole is used from namespaced RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: deployment-manager
rules:
- apiGroups:
    - ''
    - extensions
    - apps
    - autoscaling
    - batch
    - networking.k8s.io
  resources:
    - deployments
    - replicasets
    - pods
    - replicationcontrollers
    - statefulsets
    - daemonsets
    - services
    - horizontalpodautoscalers
    - jobs
    - cronjobs
    - ingresses
    - persistentvolumeclaims
    - serviceaccounts
    - configmaps
    - secrets
  verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
    - exec
- apiGroups:
    - metrics.k8s.io
  resources:
    - pods
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - '*'
  resources:
    - rolebindings
    - roles
    - limitranges
    - resourcequotas
  verbs:
    - list
    - get
    - watch
- apiGroups:
    - ''
  resources:
    - namespaces
  verbs:
    - list
- apiGroups:
    - '*'
  resources:
    - pods/exec
    - pods/log
    - pods/portforward
    - pods/status
    - services/portforward
    - bindings
    - events
    - limitranges
    - namespaces/status
    - replicationcontrollers/status
    - resourcequotas
    - resourcequotas/status
  verbs:
    - create
    - list
    - get
- apiGroups:
    - apps
  resources:
    - deployments/scale
    - replicaset/scale
    - statefulsets/scale
  verbs:
    - update
---
# This ClusterRole is used from cluster-wide ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: clusterrole-viewer
rules:
- apiGroups:
    - rbac.authorization.k8s.io
  resources:
    - clusterroles
    - clusterrolebindings
  verbs:
    - list
- apiGroups:
    - ''
    - metrics.k8s.io
    - storage.k8s.io
  resources:
    - nodes
    - storageclasses
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - ''
  resources:
    - namespaces
  verbs:
    - list

Additional info :

• resource usage works with admin RBACs that allows everything. It is surely a missing right in my RBAC settings for the developers.
• kubebox version 0.6.1 (latest at this time)
• kubernetes and kubectl version 1.16 (latest at this time)

  $ kubectl version
  Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-19T05:14:01Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
  Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:27:17Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}

[astefanutti]

The get verb on the nodes/proxy should be enough.

Could you run:

$ kubectl get --raw /api/v1/nodes/minikube/proxy/stats/summary --as <USER>

From the information you provided, it seems you run the command using --context=deployment-manager while only the clusterrole-viewer cluster role has the required permission.

[ledroide]

Solved. Many thanks @astefanutti Maybe I'm not familiar with the role syntax : I authorized "nodes" resource but not explicitly "nodes/proxy" in my clusterrole-viewer. I thought it was globally implicit.

Here is the diff that makes my role allowing a user to get metrics usage :

@@ -17,6 +17,7 @@ rules:
     - storage.k8s.io
   resources:
     - nodes
+    - nodes/proxy
     - storageclasses
   verbs:
     - get

Closing the issue.

[astefanutti]

Thanks for the feedback. Indeed sub-resources have to be explicitly specified.