How to grant users access to Grafana with minimal permissions

This document (000020151) is provided subject to the disclaimer at the end of this document.

Situation

\* Deprecation note *

There is now a "View Monitoring" role in Monitoring v2, which a user can be granted on the System project. This grants user monitoring access. Thus, the article is no more maintained. Please, refer to this for more information on RBAC.

Task

You can follow these directions to create a new user and grant minimal permissions to view cluster monitoring and Grafana graphs in your Kubernetes cluster.

Requirements

• Rancher v2.x
• Monitoring enabled in your cluster

Background

You may have a use case to grant permissions to a user to view cluster monitoring metrics and graphs, but don't want that same user to be able to see other information or perform any actions on your cluster. This how-to guide will show you how to achieve this.

Solution

1. If you have not already, create a new user in Rancher. Go to the Global view and click on the Users menu. Click the Add Users button in the top right corner. Select the desired Username, Password, and Display Name. For Global Permissions, select User-Base and leave all Custom permissions unchecked. Click the Create button at the bottom of the form. Let's assume we are using the username johndoe.
2. Go to the Security menu and select Roles. Select the Projects tab and click the Add Project Role button. In the name field, enter Services Proxy. Under Grant Resources, click the + Add Resource button. Check the Get and List boxes and enter services/proxy in the Resource field. Note, you'll see it changes this to serivces/proxy (Custom) which is normal. Click the Create button at the bottom to create the new project role.
3. Next, go to the cluster view for your cluster and select Members from the menu. Click the Add Members button in the top right corner. In the Members dropdown, select johndoe and select Member for Cluster Permissions. Click the Create button at the bottom of the form.
4. Now navigate to the System project in your cluster. Go to the Members menu and click the Add Member button. Enter johndoe in the Member field and select Services Proxy under Project Permissions. Click the Create button at the bottom of the form.
5. The johndoe user should now be able to log into Rancher and see the cluster dashboard with the Grafana icons. Clicking the Grafana icons should open a new browser window that will show the user various graphs and statistics for the cluster. This user should not be able to perform other operations, like view or launch new workloads in the cluster.

Further Reading

For more detailed information on how RBAC works in Rancher and Kubernetes, see the following links:

• Role-Based Access Control (RBAC) in Rancher
• Using RBAC Authorization in Kubernetes

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.