Simplify dashboard section to load one YAML instead of three

This commit is contained in:
Jerome Petazzoni
2019-03-10 13:29:31 -05:00
parent d9c8f2bc57
commit ea3e19c5c5

View File

@@ -2,88 +2,60 @@
- Kubernetes resources can also be viewed with a web dashboard
- We are going to deploy that dashboard with *three commands:*
- That dashboard is usually exposed over HTTPS
1) actually *run* the dashboard
(this requires obtaining a proper TLS certificate)
2) bypass SSL for the dashboard
- Dashboard users need to authenticate
3) bypass authentication for the dashboard
- We are going to take a *dangerous* shortcut
--
---
There is an additional step to make the dashboard available from outside (we'll get to that)
## The insecure method
--
- We could (and should) use [Let's Encrypt](https://letsencrypt.org/) ...
- ... but we don't want to deal with TLS certificates
- We could (and should) learn how authentication and authorization work ...
- ... but we will use a guest account with admin access instead
.footnote[.warning[Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.]]
---
## 1) Running the dashboard
## Running a very insecure dashboard
- We need to create a *deployment* and a *service* for the dashboard
- We are going to deploy that dashboard with *one single command*
- But also a *secret*, a *service account*, a *role* and a *role binding*
- This command will create all the necessary resources
- All these things can be defined in a YAML file and created with `kubectl apply -f`
(the dashboard itself, the HTTP wrapper, the admin/guest account)
- All these resources are defined in a YAML file
- All we have to do is load that YAML file with with `kubectl apply -f`
.exercise[
- Create all the dashboard resources, with the following command:
```bash
kubectl apply -f ~/container.training/k8s/kubernetes-dashboard.yaml
kubectl apply -f ~/container.training/k8s/insecure-dashboard.yaml
```
]
---
## 2) Bypassing SSL for the dashboard
- The Kubernetes dashboard uses HTTPS, but we don't have a certificate
- Recent versions of Chrome (63 and later) and Edge will refuse to connect
(You won't even get the option to ignore a security warning!)
- We could (and should!) get a certificate, e.g. with [Let's Encrypt](https://letsencrypt.org/)
- ... But for convenience, for this workshop, we'll forward HTTP to HTTPS
.warning[Do not do this at home, or even worse, at work!]
---
## Running the SSL unwrapper
- We are going to run [`socat`](http://www.dest-unreach.org/socat/doc/socat.html), telling it to accept TCP connections and relay them over SSL
- Then we will expose that `socat` instance with a `NodePort` service
- For convenience, these steps are neatly encapsulated into another YAML file
.exercise[
- Apply the convenient YAML file, and defeat SSL protection:
```bash
kubectl apply -f ~/container.training/k8s/socat.yaml
```
]
.warning[All our dashboard traffic is now clear-text, including passwords!]
---
## Connecting to the dashboard
.exercise[
- Check which port the dashboard is on:
```bash
kubectl -n kube-system get svc socat
kubectl get svc dashboard
```
]
@@ -113,26 +85,7 @@ The dashboard will then ask you which authentication you want to use.
- "skip" (use the dashboard "service account")
- Let's use "skip": we get a bunch of warnings and don't see much
---
## 3) Bypass authentication for the dashboard
- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
- We just need to load another YAML file!
.exercise[
- Grant admin privileges to the dashboard so we can see our resources:
```bash
kubectl apply -f ~/container.training/k8s/grant-admin-to-dashboard.yaml
```
- Reload the dashboard and enjoy!
]
- Let's use "skip": we're logged in!
--
@@ -140,68 +93,6 @@ The dashboard will then ask you which authentication you want to use.
---
## Exposing the dashboard over HTTPS
- We took a shortcut by forwarding HTTP to HTTPS inside the cluster
- Let's expose the dashboard over HTTPS!
- The dashboard is exposed through a `ClusterIP` service (internal traffic only)
- We will change that into a `NodePort` service (accepting outside traffic)
.exercise[
- Edit the service:
```
kubectl edit service kubernetes-dashboard
```
]
--
`NotFound`?!? Y U NO WORK?!?
---
## Editing the `kubernetes-dashboard` service
- If we look at the [YAML](https://github.com/jpetazzo/container.training/blob/master/k8s/kubernetes-dashboard.yaml) that we loaded before, we'll get a hint
--
- The dashboard was created in the `kube-system` namespace
--
.exercise[
- Edit the service:
```bash
kubectl -n kube-system edit service kubernetes-dashboard
```
- Change type `type:` from `ClusterIP` to `NodePort`, save, and exit
<!--
```wait Please edit the object below```
```keys /ClusterIP```
```keys ^J```
```keys cwNodePort```
```keys ^[ ``` ]
```keys :wq```
```keys ^J```
-->
- Check the port that was assigned with `kubectl -n kube-system get services`
- Connect to https://oneofournodes:3xxxx/ (yes, https)
]
---
## Running the Kubernetes dashboard securely
- The steps that we just showed you are *for educational purposes only!*