search

grafana / kubernetes-app

A set of dashboards and panels for kubernetes.
https://grafana.com/plugins/grafana-kubernetes-app
Apache License 2.0
401 stars 149 forks source link

Permission list needed for kubernetes service user, if RBAC enabled #12

Open Timbus opened 6 years ago

Timbus commented 6 years ago

Hi. I tried to run this plugin on an existing kube+prometheus+grafana setup and noticed grafana needs additional permissions to complete the setup (specifically: list deployments.apps in the namespace "kube-system"). Would you guys be able to add an RBAC config to this repo? I can't really figure out what permissions this app needs beyond adding them one at a time, every time I get an error.

jtlisi commented 6 years ago

@Timbus I'll look into adding one to this repo. If you ended up making one already a PR would greatly be appreciated.

Timbus commented 6 years ago

Unfortunately I ended up applying a very broad policy, essentially 'read/list all'. I can't recommend it.

I guess the only API calls would be coming from the Kube Datasource, no? So if there was a way to list all of the calls being made, a reasonable RBAC config could be built from it.

caiohasouza commented 6 years ago

+1

snakecharmer commented 6 years ago

I'm using this config for our grafana integration:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: grafana
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["componentstatuses"]
  verbs: ["get", "list"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: grafana
caiohasouza commented 6 years ago

Hi @snakecharmer

Cool, i use this config but i need add "nodes" permitions:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: grafana
rules:
- apiGroups: [""]
  resources: ["pods", "nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["componentstatuses"]
  verbs: ["get", "list"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: grafana-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: grafana
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: grafana

Thank you!

jurgenweber commented 5 years ago

How are you solving the problem that the plugin doesn't use the auth token? eg:

curl -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k https://100.64.0.1/api/v1/nodes

this works fine.. in the container.. but Grafana still 401's. So my assumption is, it is not adding the header.

phidlipus commented 5 years ago

I definitely need this. I just tested kubernetes-app and your documentation lacks information about RBAC. Please add some yamls for easy manual deployment (not only ClusterRole object, but all other necessary objects). It will be very helpful and you save a lot of time of your users.