Home > database >  How can a k8s namespace admin use top?
How can a k8s namespace admin use top?

Time:11-04

We have a shared tenant cluster, and we want our developers to be able to run kubectl top pods --namespace dev-namespace

But it seems to me that for top to be usable, you need to be able to run kubectl get nodes. But nodes are not namespaced.

Is there a solution?

We have a cluster admin setup like this:

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: username@domain

And as a cluster admin I can run the top command, so metrics-server seems to be working fine.

CodePudding user response:

Kubernetes has API group metrics.k8s.io, that you can use to give read permission for kubectl top pods -n <namespace>. If you grant get and list permissions for pods, you can run the command.

I tested the configuration below in a GKE cluster running Kubernetes 1.21 with kubectl top pod --as=system:serviceaccount:monitoring:test-account -n monitoring. With these permissions, I can only run kubectl top pod in the monitoring namespace, other commands will fail.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-account
  namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: monitoring
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: monitoring
subjects:
- kind: ServiceAccount
  name: test-account
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
  • Related