Skip to content

Grant sevice/proxy and Prometheus access#

Grant newly authenticated users without additional grants either cluster-wide service/proxy access or access only to Prometheus metrics, using one of the following pre-defined roles:

Proxy access:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mke-proxy-access
rules:
# Allow access to service proxy cluster-wide
- apiGroups: [""]
  resources:
    - services/proxy
    - services
  verbs: ["get", "list", "watch"]

Metrics access:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mke-prometheus-access 
  namespace: mke
rules:
# Allow access to service proxy (required for Prometheus service)
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["monitoring-kube-prometheus-prometheus", "monitoring-kube-prometheus-prometheus:http-web"]
  verbs: ["get"]

To grant one of these roles to the system:authenticated group, when metrics access is considered acceptable under security :

Example Notice

The system:authenticated group is used to illustrate the grant access procedure detailed here; however, a grant can be given directly to a user or to a team or organization.

  1. Log in to the MKE 4k Dashboard as an administrator.

  2. From a different browser window, navigate to the interactive API at https://<externalAddress>/api/auth/v1/docs.

  3. In the Grants section, select the group for which you want to grant access.

    • For cluster-wide proxy access that will match the MKE 3 configuration:

      1. Enter mke-proxy-access into the roleName field.

      2. Enter system:authenticated into the groupName field.

      3. Do not set any of the remaining fields, as the grant is issued to a ClusterRole.

    • For Prometheus metrics-only access:

      1. Enter mke-prometheus-access into the roleName field.

      2. Enter system:authenticated into the groupName field.

      3. Enter mke into the namespace field, as the grant is issued to a Role object in mke namespace.

      4. Enter mke into roleNamespace field, as the grant is issued to a Role object in mke namespace.

  4. Click Execute to create the grant.

  5. Return to the MKE 4k Dashboard and navigate to Access Control --> Grants to verify the grant.