github/container.training
1
0
Fork 0
mirror of https://github.com/jpetazzo/container.training.git synced 2026-05-14 04:46:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove need for https in the workshop dashboard

Browse Source
This commit is contained in:
Bridget Kromhout
2018-02-27 17:31:14 -06:00
parent 89ab66335f
commit cfaff3df04
1 changed files with 104 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
slides/kube/dashboard.md
View File

@@ -4,11 +4,15 @@
- We are going to deploy that dashboard with *three commands:*
- one to actually *run* the dashboard
1) actually *run* the dashboard
- one to make the dashboard available from outside
2) bypass SSL for the dashboard
- one to bypass authentication for the dashboard
3) bypass authentication for the dashboard
--
There is an additional step to make the dashboard available from outside (we'll get to that)
--
@@ -16,7 +20,7 @@
---
## Running the dashboard
## 1) Running the dashboard
- We need to create a *deployment* and a *service* for the dashboard
@@ -39,11 +43,99 @@ The goo.gl URL expands to:
---
## Making the dashboard reachable from outside
- The dashboard is exposed through a `ClusterIP` service
## 2) Bypass SSL for the dashboard
- We need a `NodePort` service instead
The Kubernetes dashboard uses https, but we don't have a certificate
Chrome 63 (and later) as well as recent versions of Edge will refuse to connect
In real life, we'd use something like [Let's Encrypt](https://letsencrypt.org/)
For this workshop, we'll forward http to https _(do not try this at home!)_
--
.warning[All our dashboard traffic is now clear-text, including passwords!]
--
.exercise[
- Forward http to https
```bash
kubectl apply -f https://goo.gl/tA7GLz
```
]
The goo.gl URL expands to:
<br/>
.small[https://gist.githubusercontent.com/jpetazzo/c53a28b5b7fdae88bc3c5f0945552c04/raw/da13ef1bdd38cc0e90b7a4074be8d6a0215e1a65/socat.yaml]
---
## Connecting to the dashboard
.exercise[
- Connect to http://oneofournodes:3xxxx/
<!-- ```open https://node1:3xxxx/``` -->
]
The dashboard will then ask you which authentication you want to use.
---
## Dashboard authentication
- We have three authentication options at this point:
- token (associated with a role that has appropriate permissions)
- kubeconfig (e.g. using the `~/.kube/config` file from `node1`)
- "skip" (use the dashboard "service account")
- Let's use "skip": we get a bunch of warnings and don't see much
---
## 3) Bypass authentication for the dashboard
- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
- We just need to load another YAML file!
.exercise[
- Grant admin privileges to the dashboard so we can see our resources:
```bash
kubectl apply -f https://goo.gl/CHsLTA
```
- Reload the dashboard and enjoy!
]
--
.warning[By the way, we just added a backdoor to our Kubernetes cluster!]
---
## What about making the dashboard reachable from outside?
- We took a shortcut by forwarding http to https inside the cluster
- If we were really using https...
- Inside, the dashboard is exposed through a `ClusterIP` service
- From outside, we need a `NodePort` service instead
.exercise[
@@ -68,6 +160,8 @@ The goo.gl URL expands to:
- The dashboard was created in the `kube-system` namespace
--
.exercise[
- Edit the service:
@@ -83,71 +177,6 @@ The goo.gl URL expands to:
---
## Connecting to the dashboard
.exercise[
- Connect to https://oneofournodes:3xxxx/
- You will have to work around the TLS certificate validation warning
<!-- ```open https://node1:3xxxx/``` -->
]
The dashboard will then ask you which authentication you want to use.
.warning[Make sure that you use `https`! Otherwise, you'll get this error:]
```
This page isnt working
<oneofournodes> sent an invalid response.
ERR_INVALID_HTTP_RESPONSE
```
.warning[Chrome 63 (and later) as well as recent versions of Edge will refuse to connect.]
We do not know how to work around that issue for the moment.
---
## Dashboard authentication
- We have three authentication options at this point:
- token (associated with a role that has appropriate permissions)
- kubeconfig (e.g. using the `~/.kube/config` file from `node1`)
- "skip" (use the dashboard "service account")
- Let's use "skip": we get a bunch of warnings and don't see much
---
## Granting more rights to the dashboard
- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
- We just need to load another YAML file!
.exercise[
- Grant admin privileges to the dashboard so we can see our resources:
```bash
kubectl apply -f https://goo.gl/CHsLTA
```
- Reload the dashboard and enjoy!
]
--
.warning[By the way, we just added a backdoor to our Kubernetes cluster!]
---
# Security implications of `kubectl apply`
- When we do `kubectl apply -f <URL>`, we create arbitrary resources
@@ -197,3 +226,6 @@ We do not know how to work around that issue for the moment.
- It introduces new failure modes
- Example: the official setup instructions for most pod networks
---