Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Developer Tools 2017

Kubernetes Dashboard 1.7: RBAC Ready and Multi-Cluster Friendly

K8s Guru
3 min read
#kubernetes-dashboard #rbac #ui #multi-cluster #security
Kubernetes Dashboard 1.7: RBAC Ready and Multi-Cluster Friendly

Table of Contents

Introduction

On July 10, 2017, the Kubernetes community shipped Dashboard 1.7, a release focused on security and multi-cluster operations. As RBAC became the norm in Kubernetes 1.6+, teams needed a web UI that respected fine-grained permissions while still offering a smooth operator experience.

Headline Features

  • Token & Kubeconfig Login: Users authenticate with service account tokens or uploaded kubeconfig files—no more anonymous admin access.
  • Namespace & Cluster Switching: Dropdown selectors make it easy to pivot between namespaces or connect to multiple clusters from the same UI session.
  • CRD Visibility: Custom Resource Definitions appear alongside core workloads, improving observability for operators adopting CRDs (e.g., PrometheusRule, VirtualService).
  • Workload Status Cards: Enhanced overviews for Deployments, StatefulSets and DaemonSets with rollout progress and pod health indicators.
  • Metric Integration Hooks: Optional Grafana/Heapster links surface CPU/memory charts directly in the UI.

Deploying Dashboard 1.7 Securely

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.7.1/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl -n kube-system create serviceaccount dashboard-admin
kubectl -n kube-system create clusterrolebinding dashboard-admin \
  --clusterrole=cluster-admin \
  --serviceaccount=kube-system:dashboard-admin
kubectl -n kube-system get secret \
  $(kubectl -n kube-system get sa dashboard-admin -o jsonpath="{.secrets[0].name}") \
  -o go-template="{{.data.token | base64decode}}"
  • Access via kubectl proxy or an authenticated ingress controller (e.g., Dex, oauth2-proxy).
  • Use scoped ClusterRoles instead of cluster-admin for production teams.

Practical Security Notes

The commands above are a quick way to get a working token, but treat them as a demo baseline, not a production posture:

  • Prefer read-only ClusterRoles for most users; reserve write access for a small admin group.
  • Avoid binding Dashboard to cluster-admin long-term — it turns the UI into a convenient “do anything” console.
  • If you publish Dashboard behind an Ingress, make authentication mandatory (OIDC/OAuth proxy) and lock it down with NetworkPolicies.
  • Rotate tokens and avoid sharing them over chat/email; tokens are effectively passwords with API access.

Multi-Cluster Workflow

  • Store multiple kubecontexts in a kubeconfig file and upload it via the login screen.
  • Dashboard 1.7 caches sessions client-side; you can switch clusters without re-authenticating as long as the kubeconfig remains valid.
  • Combine with federation or kubectl config use-context workflows to maintain parity between UI and CLI operations.

Best Practices

  • Pair Dashboard with an OIDC identity provider to avoid static tokens.
  • Enable NetworkPolicies to restrict access to the Dashboard service.
  • Audit API logs; Dashboard 1.7 includes user-agent strings to help attribute actions.
  • For read-only viewers, create dedicated ClusterRoles and bind them to service accounts, then distribute tokens via secure channels.

Summary

AspectDetails
Release DateJuly 10, 2017
Key InnovationsToken-based auth, namespace switching, CRD visibility, workload dashboards
SignificanceBrought the Kubernetes UI in line with RBAC-first security postures while improving operator usability