Skip to content
Due to upgrade issues with the Envoy gateway and the offline installation environments, upgrading to MKE 4k 4.1.3 is not recommended. These issues are fixed in the 4.1.4 release. For version 4.1.3, Mirantis only supports fresh installations.

Grant sevice/proxy and Prometheus access#

Grant newly authenticated users without additional grants either cluster-wide service/proxy access or access only to Prometheus metrics, using one of the following pre-defined roles:

Proxy access:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mke-proxy-access
rules:
# Allow access to service proxy cluster-wide
- apiGroups: [""]
  resources:
    - services/proxy
    - services
  verbs: ["get", "list", "watch"]

Metrics access:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mke-prometheus-access 
  namespace: mke
rules:
# Allow access to service proxy (required for Prometheus service)
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["monitoring-kube-prometheus-prometheus", "monitoring-kube-prometheus-prometheus:http-web"]
  verbs: ["get"]

To grant one of these roles to the system:authenticated group, when metrics access is considered acceptable under security :

Example Notice

The system:authenticated group is used to illustrate the grant access procedure detailed here; however, a grant can be given directly to a user or to a team or organization.

  1. Log in to the MKE 4k Dashboard as an administrator.

  2. From a different browser window, navigate to the interactive API at https://<externalAddress>/api/auth/v1/docs.

  3. In the Grants section, select the group for which you want to grant access.

    • For cluster-wide proxy access that will match the MKE 3 configuration:

      1. Enter mke-proxy-access into the roleName field.

      2. Enter system:authenticated into the groupName field.

      3. Do not set any of the remaining fields, as the grant is issued to a ClusterRole.

    • For Prometheus metrics-only access:

      1. Enter mke-prometheus-access into the roleName field.

      2. Enter system:authenticated into the groupName field.

      3. Enter mke into the namespace field, as the grant is issued to a Role object in mke namespace.

      4. Enter mke into roleNamespace field, as the grant is issued to a Role object in mke namespace.

  4. Click Execute to create the grant.

  5. Return to the MKE 4k Dashboard and navigate to Access Control --> Grants to verify the grant.