How to grant users access to Grafana with minimal permissions

Follow
Table of Contents

Task

You can follow these directions to create a new user and grant minimal permissions to view cluster monitoring and Grafana graphs in your Kubernetes cluster.

Requirements

  • Rancher v2.x
  • Monitoring enabled in your cluster

Background

You may have a use case to grant permissions to a user to view cluster monitoring metrics and graphs, but don't want that same user to be able to see other information or perform any actions on your cluster. This how-to guide will show you how to achieve this.

Solution

If you have not already, create a new user in Rancher. Go to the Global view and click on the Users menu. Click the Add Users button in the top right corner. Select the desired Username, Password, and Display Name. For Global Permissions, select User-Base and leave all Custom permissions unchecked. Click the Create button at the bottom of the form. Let's assume we are using the username johndoe.

Go to the Security menu and select Roles. Select the Projects tab and click the Add Project Role button. In the name field, enter Services Proxy. Under Grant Resources, click the + Add Resource button. Check the Get and List boxes and enter services/proxy in the Resource field. Note, you'll see it changes this to serivces/proxy (Custom) which is normal. Click the Create button at the bottom to create the new project role.

Next, go to the cluster view for your cluster and select Members from the menu. Click the Add Members button in the top right corner. In the Members dropdown, select johndoe and select Member for Cluster Permissions. Click the Create button at the bottom of the form.

Now navigate to the System project in your cluster. Go to the Members menu and click the Add Member button. Enter johndoe in the Member field and select Services Proxy under Project Permissions. Click the Create button at the bottom of the form.

The johndoe user should now be able to log into Rancher and see the cluster dashboard with the Grafana icons. Clicking the Grafana icons should open a new browser window that will show the user various graphs and statistics for the cluster. This user should not be able to perform other operations, like view or launch new workloads in the cluster.

Further Reading

For more detailed information on how RBAC works in Rancher and Kubernetes, see the following links:

Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment
  • Is it expose all Services Proxy under system project to this user?
    Can we lock it down further?

    0
    Comment actions Permalink

Please sign in to leave a comment.