We have a shared tenant cluster, and we want our developers to be able to run
kubectl top pods --namespace dev-namespace
But it seems to me that for top to be usable, you need to be able to run
kubectl get nodes. But nodes are not namespaced.
Is there a solution?
We have a cluster admin setup like this:
roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: username@domain
And as a cluster admin I can run the top command, so metrics-server seems to be working fine.
Kubernetes has API group
metrics.k8s.io, that you can use to give read permission for
kubectl top pods -n <namespace>. If you grant
list permissions for pods, you can run the command.
I tested the configuration below in a GKE cluster running Kubernetes 1.21 with
kubectl top pod --as=system:serviceaccount:monitoring:test-account -n monitoring. With these permissions, I can only run
kubectl top pod in the
monitoring namespace, other commands will fail.
apiVersion: v1 kind: ServiceAccount metadata: name: test-account namespace: monitoring --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: monitoring rules: - apiGroups: ["metrics.k8s.io"] resources: ["pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: monitoring subjects: - kind: ServiceAccount name: test-account roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io