3

Hoping for some pointers, I have a question: what role/permissions do I need to bind to a user that has ClusterRole=view in order to let that user use top node and top pod commands in kubectl?

My team are using kubectl version 1.15.x (client) on a 1.15.7 cluster (AKS), although I'm not sure if that's relevant information. I tried to find this in the k8s documentation, but could not find the permission-reference description, only some examples and guidelines. If you know where to get the full k8s reference, I'm equally glad and will post the solution.

Note, I also posted this on StackOverflow, but they pointed me here, which indeed looks much more suited.

Thanks in advance!

Regards, Ludo

Ludo
  • 61
  • 5
  • 1
    Are you using RBAC to define what your users are allowed to do? I use kubectl top node and kubectl top pod --all-namespaces with no special permissions all the time across multiple AKS Clusters. (Our deployments are not using RBAC yet.) – Steven K7FAQ Feb 04 '20 at 03:22
  • Yes, we have rbac enabled, coupled to Azure Active Directory. btw, I found the way to do it, will post below. – Ludo Feb 04 '20 at 10:40

1 Answers1

3

Thanks to arghya-sadhu's comments on stackoverflow, I've got it working:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: get-pod-and-node
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "watch", "list"]

(I'm aggregating to the standard 'view' role)

Ludo
  • 61
  • 5