Grant node read access#
Node read access is not granted to authenticated users by default. Thus, a freshly
authenticated non-admin user cannot view cluster nodes; for example, the
Nodes panel of the MKE 4 Dashboard does not populate until access is
granted. To allow a non-admin user to read cluster nodes, grant the pre-defined
mke-viewer-role ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mke-viewer-role
rules:
# Allow read access to cluster nodes
- apiGroups: [""]
resources: ["nodes", "nodes/status"]
verbs: ["get", "list", "watch"]
Security notice
Granting mke-viewer-role cluster-wide to the system:authenticated group
exposes node.status.images[], which is the list of container images cached on
each node, to every authenticated user. In multi-tenant clusters, this can
expose which images are being run by other tenants. As such, ensure that you grant this role only to the specific
users, teams, or groups that require node visibility.
To grant this role to the system:authenticated group, when cluster-wide node
visibility is considered acceptable under your security policy:
Example Notice
The system:authenticated group is used to illustrate the grant
access procedure detailed here; however, a grant can be given directly to a
user or to a team or organization.
-
Log in to the MKE 4 Dashboard as an administrator.
-
From a different browser window, navigate to the interactive API at
https://<externalAddress>/api/auth/v1/docs. -
In the Grants section, select the group for which you want to grant access.
-
For cluster-wide node read access:
-
Enter mke-viewer-role into the roleName field.
-
Enter system:authenticated into the groupName field.
-
Do not set any of the remaining fields, as the grant is issued to a
ClusterRole.
-
-
Click Execute to create the grant.
-
Return to the MKE 4 Dashboard and navigate to Access Control --> Grants to verify the grant.