From cfaff3df04c15c40124efa537ff0a607d7dce88f Mon Sep 17 00:00:00 2001 From: Bridget Kromhout Date: Tue, 27 Feb 2018 17:31:14 -0600 Subject: [PATCH] Remove need for https in the workshop dashboard --- slides/kube/dashboard.md | 176 +++++++++++++++++++++++---------------- 1 file changed, 104 insertions(+), 72 deletions(-) diff --git a/slides/kube/dashboard.md b/slides/kube/dashboard.md index 4a8aae67..a45139db 100644 --- a/slides/kube/dashboard.md +++ b/slides/kube/dashboard.md @@ -4,11 +4,15 @@ - We are going to deploy that dashboard with *three commands:* - - one to actually *run* the dashboard + 1) actually *run* the dashboard - - one to make the dashboard available from outside + 2) bypass SSL for the dashboard - - one to bypass authentication for the dashboard + 3) bypass authentication for the dashboard + +-- + +There is an additional step to make the dashboard available from outside (we'll get to that) -- @@ -16,7 +20,7 @@ --- -## Running the dashboard +## 1) Running the dashboard - We need to create a *deployment* and a *service* for the dashboard @@ -39,11 +43,99 @@ The goo.gl URL expands to: --- -## Making the dashboard reachable from outside -- The dashboard is exposed through a `ClusterIP` service +## 2) Bypass SSL for the dashboard -- We need a `NodePort` service instead +The Kubernetes dashboard uses https, but we don't have a certificate + +Chrome 63 (and later) as well as recent versions of Edge will refuse to connect + +In real life, we'd use something like [Let's Encrypt](https://letsencrypt.org/) + +For this workshop, we'll forward http to https _(do not try this at home!)_ + +-- + +.warning[All our dashboard traffic is now clear-text, including passwords!] + +-- + +.exercise[ + +- Forward http to https + ```bash + kubectl apply -f https://goo.gl/tA7GLz + ``` + +] + +The goo.gl URL expands to: +
+.small[https://gist.githubusercontent.com/jpetazzo/c53a28b5b7fdae88bc3c5f0945552c04/raw/da13ef1bdd38cc0e90b7a4074be8d6a0215e1a65/socat.yaml] + +--- + +## Connecting to the dashboard + + +.exercise[ + +- Connect to http://oneofournodes:3xxxx/ + + + +] + +The dashboard will then ask you which authentication you want to use. + +--- + +## Dashboard authentication + +- We have three authentication options at this point: + + - token (associated with a role that has appropriate permissions) + + - kubeconfig (e.g. using the `~/.kube/config` file from `node1`) + + - "skip" (use the dashboard "service account") + +- Let's use "skip": we get a bunch of warnings and don't see much + +--- + +## 3) Bypass authentication for the dashboard + +- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges) + +- We just need to load another YAML file! + +.exercise[ + +- Grant admin privileges to the dashboard so we can see our resources: + ```bash + kubectl apply -f https://goo.gl/CHsLTA + ``` + +- Reload the dashboard and enjoy! + +] + +-- + +.warning[By the way, we just added a backdoor to our Kubernetes cluster!] + +--- + +## What about making the dashboard reachable from outside? + +- We took a shortcut by forwarding http to https inside the cluster + +- If we were really using https... + +- Inside, the dashboard is exposed through a `ClusterIP` service + +- From outside, we need a `NodePort` service instead .exercise[ @@ -68,6 +160,8 @@ The goo.gl URL expands to: - The dashboard was created in the `kube-system` namespace +-- + .exercise[ - Edit the service: @@ -83,71 +177,6 @@ The goo.gl URL expands to: --- -## Connecting to the dashboard - -.exercise[ - -- Connect to https://oneofournodes:3xxxx/ - -- You will have to work around the TLS certificate validation warning - - - -] - -The dashboard will then ask you which authentication you want to use. - -.warning[Make sure that you use `https`! Otherwise, you'll get this error:] - -``` -This page isn’t working - sent an invalid response. -ERR_INVALID_HTTP_RESPONSE -``` - -.warning[Chrome 63 (and later) as well as recent versions of Edge will refuse to connect.] - -We do not know how to work around that issue for the moment. - ---- - -## Dashboard authentication - -- We have three authentication options at this point: - - - token (associated with a role that has appropriate permissions) - - - kubeconfig (e.g. using the `~/.kube/config` file from `node1`) - - - "skip" (use the dashboard "service account") - -- Let's use "skip": we get a bunch of warnings and don't see much - ---- - -## Granting more rights to the dashboard - -- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges) - -- We just need to load another YAML file! - -.exercise[ - -- Grant admin privileges to the dashboard so we can see our resources: - ```bash - kubectl apply -f https://goo.gl/CHsLTA - ``` - -- Reload the dashboard and enjoy! - -] - --- - -.warning[By the way, we just added a backdoor to our Kubernetes cluster!] - ---- - # Security implications of `kubectl apply` - When we do `kubectl apply -f `, we create arbitrary resources @@ -197,3 +226,6 @@ We do not know how to work around that issue for the moment. - It introduces new failure modes - Example: the official setup instructions for most pod networks + + +---