How to config clusterReadOnlyRole in version > 7.1.x

[will4j]

Is there Easy ways to config clusterReadOnlyRole with kubernetes-dashboard 7.1.x, without external reverse proxy.

I have tried to create cluster readonly role, sc, rb myself like it in version helm chart 6.x.
then create service-account-token secret and use kong plugin request-transformer to add header Authorization: Bearer.

The only way I found successful was change kong gateway configmap as below:

- name: api
        host: {{ template "kubernetes-dashboard.fullname" . }}-{{ .Values.api.role }}
        port: 8000
        protocol: http
        routes:
          - name: api
            paths:
              - /api
            strip_path: false
          - name: metrics
            paths:
              - /metrics
            strip_path: false
        plugins:
          - name: request-transformer
            config:
              add:
                headers:
                  - "Authorization: Bearer xxxx"

also tried to use annotations konghq.com/plugins but it seems not work

kind: Service
apiVersion: v1
metadata:
  labels:
    {{- include "kubernetes-dashboard.labels" . | nindent 4 }}
    app.kubernetes.io/name: {{ template "kubernetes-dashboard.name" . }}-{{ .Values.api.role }}
    app.kubernetes.io/version: {{ .Values.api.image.tag }}
    app.kubernetes.io/component: {{ .Values.api.role }}
  annotations:
   #  KongPlugin kubernetes-dashboard-readonly-auth has been created
    konghq.com/plugins: kubernetes-dashboard-readonly-auth

both these ways need hard code or change the helm charts resource, any better ideas ?

[floreks]

As described in 7.0.0 release notes:

clusterReadOnlyRole has been removed since it is no longer possible to use Dashboard permissions to access the cluster. User access is required at all times.

There is no other way to do this currently. The only way to skip login view is to provide auth header in the request to Dashboard via some kind of proxy. It can use hardcoded token or authenticate user first to get user-specific token.

[will4j]

Got it，But kong gateway IS a kind of proxy, can it be simpler to use kong gateway to add auth token header from custom kubernetes.io/service-account-token secret?

ClusterReadOnlyRole Feature is really helpful and convenient for these who don't concern so much of update k8s obj.