Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Notes from TGIK 027
  1. Show kubectl proxy

Things are now locked down by default. Try to upload kubeconfig. Talk certs vs. tokens. Skip login... nothing works.

  1. Let's get UI working!

Option 1: Give UI SA with admin. Don't do this!

Option 2: Get some sort of token. Without external authn mechanism, use SA token.

kubectl create sa my-dashboard-sa
kubectl create clusterrolebinding my-dashboard-sa --clusterrole=cluster-admin --serviceaccount=default:my-dashboard-sa
kubectl get secrets
kubectl describe secret my-dashboard-sa-token-dkz2j
  1. Expose this to users?

Expose directly? Not a good idea. Defense in depth. What if the console had a bug?

Expose with nodeport? Works great as long as users have access to the node. Often not the case without VPN and/or with cloud. Talk BeyondCorp.

Expose behind validating proxy? Yes! Let's do that next.

kubectl create secret generic k8s-dashboard-oauth-secrets \
  -o yaml --dry-run \
  -n kube-system \
  --from-literal=client-id=c65d2f658c05aacf2f35 \
  --from-literal=client-secret=8b9ae8d9eee6ce756d4894aca85df19b90d0aa22 \
  --from-literal=cookie=$(python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))')
  1. Future? It would be great if we could have the UI be an OAuth client and use that with custom authn provider.

https://github.com/kubernetes/dashboard/issues/2353

---
apiVersion: v1
kind: Secret
metadata:
name: k8s-dashboard-oauth-secrets
namespace: kube-system
type: Opaque
data:
client-id: YzY1ZDJmNjU4YzA1YWFjZjJmMzU=
client-secret: OGI5YWU4ZDllZWU2Y2U3NTZkNDg5NGFjYTg1ZGYxOWI5MGQwYWEyMg==
cookie: eUJJVS1qWEVqcTRUV29rOTVaOHNKdz09
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: k8s-dashboard-oauth-proxy
name: k8s-dashboard-oauth-proxy
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
run: k8s-dashboard-oauth-proxy
template:
metadata:
labels:
run: k8s-dashboard-oauth-proxy
spec:
containers:
- args:
- --cookie-secure=false
- --provider=github
- --upstream=http://kubernetes-dashboard.kube-system.svc.cluster.local
- --http-address=0.0.0.0:8080
- --redirect-url=https://k8s-dashboard.tgik.io/oauth2/callback
- --email-domain=*
- --github-org=TGIK
- --pass-basic-auth=false
- --pass-access-token=false
env:
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
key: cookie
name: k8s-dashboard-oauth-secrets
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: k8s-dashboard-oauth-secrets
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client-secret
name: k8s-dashboard-oauth-secrets
image: a5huynh/oauth2_proxy:2.2
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
labels:
run: k8s-dashboard-oauth-proxy
name: k8s-dashboard-oauth-proxy
namespace: kube-system
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
run: k8s-dashboard-oauth-proxy
type: ClusterIP
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: k8s-dashboard-tls
namespace: kube-system
spec:
secretName: k8s-dashboard-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: k8s-dashboard.tgik.io
dnsNames:
- k8s-dashboard.tgik.io
acme:
config:
- http01: {}
domains:
- k8s-dashboard.tgik.io
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: k8s-dashboard-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: contour
# ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
- host: k8s-dashboard.tgik.io
http:
paths:
- backend:
serviceName: k8s-dashboard-oauth-proxy
servicePort: 8080
path: /
tls:
- hosts:
- k8s-dashboard.tgik.io
secretName: k8s-dashboard-tls
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment