How to grant users access to Grafana with minimal permissions
This document (000020151) is provided subject to the disclaimer at the end of this document.
Situation
Task
You can follow these directions to create a new user and grant minimal permissions to view cluster monitoring and Grafana graphs in your Kubernetes cluster.
Requirements
- Rancher v2.x
- Monitoring enabled in your cluster
Background
You may have a use case to grant permissions to a user to view cluster monitoring metrics and graphs, but don't want that same user to be able to see other information or perform any actions on your cluster. This how-to guide will show you how to achieve this.
Solution
If you have not already, create a new user in Rancher. Go to the Global view and click on the Users menu. Click the Add Users
button in the top right corner. Select the desired Username, Password, and Display Name. For Global Permissions, select User-Base and leave all Custom permissions unchecked. Click the Create
button at the bottom of the form. Let's assume we are using the username johndoe
.
Go to the Security menu and select Roles. Select the Projects tab and click the Add Project Role
button. In the name field, enter Services Proxy. Under Grant Resources, click the + Add Resource
button. Check the Get and List boxes and enter services/proxy
in the Resource field. Note, you'll see it changes this to serivces/proxy (Custom)
which is normal. Click the Create
button at the bottom to create the new project role.
Next, go to the cluster view for your cluster and select Members from the menu. Click the Add Members
button in the top right corner. In the Members dropdown, select johndoe
and select Member for Cluster Permissions. Click the Create
button at the bottom of the form.
Now navigate to the System project in your cluster. Go to the Members menu and click the Add Member
button. Enter johndoe
in the Member field and select Services Proxy
under Project Permissions. Click the Create
button at the bottom of the form.
The johndoe
user should now be able to log into Rancher and see the cluster dashboard with the Grafana icons. Clicking the Grafana icons should open a new browser window that will show the user various graphs and statistics for the cluster. This user should not be able to perform other operations, like view or launch new workloads in the cluster.
Further Reading
For more detailed information on how RBAC works in Rancher and Kubernetes, see the following links:
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020151
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com