diff --git a/slides/kube/dashboard.md b/slides/kube/dashboard.md index a45139db..2d527126 100644 --- a/slides/kube/dashboard.md +++ b/slides/kube/dashboard.md @@ -44,25 +44,33 @@ The goo.gl URL expands to: --- -## 2) Bypass SSL for the dashboard +## 2) Bypassing SSL for the dashboard -The Kubernetes dashboard uses https, but we don't have a certificate +- The Kubernetes dashboard uses HTTPS, but we don't have a certificate -Chrome 63 (and later) as well as recent versions of Edge will refuse to connect +- Recent versions of Chrome (63 and later) and Edge will refuse to connect -In real life, we'd use something like [Let's Encrypt](https://letsencrypt.org/) + (You won't even get the option to ignore a security warning!) -For this workshop, we'll forward http to https _(do not try this at home!)_ +- We could (and should!) get a certificate, e.g. with [Let's Encrypt](https://letsencrypt.org/) --- +- ... But for convenience, for this workshop, we'll forward HTTP to HTTPS -.warning[All our dashboard traffic is now clear-text, including passwords!] +.warning[Do not do this at home, or even worse, at work!] --- +--- + +## Running the SSL unwrapper + +- We are going to run [`socat`](http://www.dest-unreach.org/socat/doc/socat.html), telling it to accept TCP connections and relay them over SSL + +- Then we will expose that `socat` instance with a `NodePort` service + +- For convenience, these steps are neatly encapsulated into another YAML file .exercise[ -- Forward http to https +- Apply the convenient YAML file, and defeat SSL protection: ```bash kubectl apply -f https://goo.gl/tA7GLz ``` @@ -71,7 +79,9 @@ For this workshop, we'll forward http to https _(do not try this at home!)_ The goo.gl URL expands to:
-.small[https://gist.githubusercontent.com/jpetazzo/c53a28b5b7fdae88bc3c5f0945552c04/raw/da13ef1bdd38cc0e90b7a4074be8d6a0215e1a65/socat.yaml] +.small[.small[https://gist.githubusercontent.com/jpetazzo/c53a28b5b7fdae88bc3c5f0945552c04/raw/da13ef1bdd38cc0e90b7a4074be8d6a0215e1a65/socat.yaml]] + +.warning[All our dashboard traffic is now clear-text, including passwords!] --- @@ -127,15 +137,15 @@ The dashboard will then ask you which authentication you want to use. --- -## What about making the dashboard reachable from outside? +## Exposing the dashboard over HTTPS -- We took a shortcut by forwarding http to https inside the cluster +- We took a shortcut by forwarding HTTP to HTTPS inside the cluster -- If we were really using https... +- Let's expose the dashboard over HTTPS! -- Inside, the dashboard is exposed through a `ClusterIP` service +- The dashboard is exposed through a `ClusterIP` service (internal traffic only) -- From outside, we need a `NodePort` service instead +- We will change that into a `NodePort` service (accepting outside traffic) .exercise[ @@ -177,6 +187,18 @@ The dashboard will then ask you which authentication you want to use. --- +## Running the Kubernetes dashboard securely + +- The steps that we just showed you are *for educational purposes only!* + +- If you do that on your production cluster, people [can and will abuse it](https://blog.redlock.io/cryptojacking-tesla) + +- For an in-depth discussion about securing the dashboard, +
+ check [this excellent post on Heptio's blog](https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca) + +--- + # Security implications of `kubectl apply` - When we do `kubectl apply -f `, we create arbitrary resources @@ -227,5 +249,3 @@ The dashboard will then ask you which authentication you want to use. - Example: the official setup instructions for most pod networks - ----