mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-07-18 12:29:18 +00:00
Simplify dashboard section to load one YAML instead of three
This commit is contained in:
@@ -2,88 +2,60 @@
|
||||
|
||||
- Kubernetes resources can also be viewed with a web dashboard
|
||||
|
||||
- We are going to deploy that dashboard with *three commands:*
|
||||
- That dashboard is usually exposed over HTTPS
|
||||
|
||||
1) actually *run* the dashboard
|
||||
(this requires obtaining a proper TLS certificate)
|
||||
|
||||
2) bypass SSL for the dashboard
|
||||
- Dashboard users need to authenticate
|
||||
|
||||
3) bypass authentication for the dashboard
|
||||
- We are going to take a *dangerous* shortcut
|
||||
|
||||
--
|
||||
---
|
||||
|
||||
There is an additional step to make the dashboard available from outside (we'll get to that)
|
||||
## The insecure method
|
||||
|
||||
--
|
||||
- We could (and should) use [Let's Encrypt](https://letsencrypt.org/) ...
|
||||
|
||||
- ... but we don't want to deal with TLS certificates
|
||||
|
||||
- We could (and should) learn how authentication and authorization work ...
|
||||
|
||||
- ... but we will use a guest account with admin access instead
|
||||
|
||||
.footnote[.warning[Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.]]
|
||||
|
||||
---
|
||||
|
||||
## 1) Running the dashboard
|
||||
## Running a very insecure dashboard
|
||||
|
||||
- We need to create a *deployment* and a *service* for the dashboard
|
||||
- We are going to deploy that dashboard with *one single command*
|
||||
|
||||
- But also a *secret*, a *service account*, a *role* and a *role binding*
|
||||
- This command will create all the necessary resources
|
||||
|
||||
- All these things can be defined in a YAML file and created with `kubectl apply -f`
|
||||
(the dashboard itself, the HTTP wrapper, the admin/guest account)
|
||||
|
||||
- All these resources are defined in a YAML file
|
||||
|
||||
- All we have to do is load that YAML file with with `kubectl apply -f`
|
||||
|
||||
.exercise[
|
||||
|
||||
- Create all the dashboard resources, with the following command:
|
||||
```bash
|
||||
kubectl apply -f ~/container.training/k8s/kubernetes-dashboard.yaml
|
||||
kubectl apply -f ~/container.training/k8s/insecure-dashboard.yaml
|
||||
```
|
||||
|
||||
]
|
||||
|
||||
---
|
||||
|
||||
|
||||
## 2) Bypassing SSL for the dashboard
|
||||
|
||||
- The Kubernetes dashboard uses HTTPS, but we don't have a certificate
|
||||
|
||||
- Recent versions of Chrome (63 and later) and Edge will refuse to connect
|
||||
|
||||
(You won't even get the option to ignore a security warning!)
|
||||
|
||||
- We could (and should!) get a certificate, e.g. with [Let's Encrypt](https://letsencrypt.org/)
|
||||
|
||||
- ... But for convenience, for this workshop, we'll forward HTTP to HTTPS
|
||||
|
||||
.warning[Do not do this at home, or even worse, at work!]
|
||||
|
||||
---
|
||||
|
||||
## Running the SSL unwrapper
|
||||
|
||||
- We are going to run [`socat`](http://www.dest-unreach.org/socat/doc/socat.html), telling it to accept TCP connections and relay them over SSL
|
||||
|
||||
- Then we will expose that `socat` instance with a `NodePort` service
|
||||
|
||||
- For convenience, these steps are neatly encapsulated into another YAML file
|
||||
|
||||
.exercise[
|
||||
|
||||
- Apply the convenient YAML file, and defeat SSL protection:
|
||||
```bash
|
||||
kubectl apply -f ~/container.training/k8s/socat.yaml
|
||||
```
|
||||
|
||||
]
|
||||
|
||||
.warning[All our dashboard traffic is now clear-text, including passwords!]
|
||||
|
||||
---
|
||||
|
||||
## Connecting to the dashboard
|
||||
|
||||
.exercise[
|
||||
|
||||
- Check which port the dashboard is on:
|
||||
```bash
|
||||
kubectl -n kube-system get svc socat
|
||||
kubectl get svc dashboard
|
||||
```
|
||||
|
||||
]
|
||||
@@ -113,26 +85,7 @@ The dashboard will then ask you which authentication you want to use.
|
||||
|
||||
- "skip" (use the dashboard "service account")
|
||||
|
||||
- Let's use "skip": we get a bunch of warnings and don't see much
|
||||
|
||||
---
|
||||
|
||||
## 3) Bypass authentication for the dashboard
|
||||
|
||||
- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
|
||||
|
||||
- We just need to load another YAML file!
|
||||
|
||||
.exercise[
|
||||
|
||||
- Grant admin privileges to the dashboard so we can see our resources:
|
||||
```bash
|
||||
kubectl apply -f ~/container.training/k8s/grant-admin-to-dashboard.yaml
|
||||
```
|
||||
|
||||
- Reload the dashboard and enjoy!
|
||||
|
||||
]
|
||||
- Let's use "skip": we're logged in!
|
||||
|
||||
--
|
||||
|
||||
@@ -140,68 +93,6 @@ The dashboard will then ask you which authentication you want to use.
|
||||
|
||||
---
|
||||
|
||||
## Exposing the dashboard over HTTPS
|
||||
|
||||
- We took a shortcut by forwarding HTTP to HTTPS inside the cluster
|
||||
|
||||
- Let's expose the dashboard over HTTPS!
|
||||
|
||||
- The dashboard is exposed through a `ClusterIP` service (internal traffic only)
|
||||
|
||||
- We will change that into a `NodePort` service (accepting outside traffic)
|
||||
|
||||
.exercise[
|
||||
|
||||
- Edit the service:
|
||||
```
|
||||
kubectl edit service kubernetes-dashboard
|
||||
```
|
||||
|
||||
]
|
||||
|
||||
--
|
||||
|
||||
`NotFound`?!? Y U NO WORK?!?
|
||||
|
||||
---
|
||||
|
||||
## Editing the `kubernetes-dashboard` service
|
||||
|
||||
- If we look at the [YAML](https://github.com/jpetazzo/container.training/blob/master/k8s/kubernetes-dashboard.yaml) that we loaded before, we'll get a hint
|
||||
|
||||
--
|
||||
|
||||
- The dashboard was created in the `kube-system` namespace
|
||||
|
||||
--
|
||||
|
||||
.exercise[
|
||||
|
||||
- Edit the service:
|
||||
```bash
|
||||
kubectl -n kube-system edit service kubernetes-dashboard
|
||||
```
|
||||
|
||||
- Change type `type:` from `ClusterIP` to `NodePort`, save, and exit
|
||||
|
||||
<!--
|
||||
```wait Please edit the object below```
|
||||
```keys /ClusterIP```
|
||||
```keys ^J```
|
||||
```keys cwNodePort```
|
||||
```keys ^[ ``` ]
|
||||
```keys :wq```
|
||||
```keys ^J```
|
||||
-->
|
||||
|
||||
- Check the port that was assigned with `kubectl -n kube-system get services`
|
||||
|
||||
- Connect to https://oneofournodes:3xxxx/ (yes, https)
|
||||
|
||||
]
|
||||
|
||||
---
|
||||
|
||||
## Running the Kubernetes dashboard securely
|
||||
|
||||
- The steps that we just showed you are *for educational purposes only!*
|
||||
|
||||
Reference in New Issue
Block a user