From ea3e19c5c5e26a319186b72f1998daf9fa5904ff Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sun, 10 Mar 2019 13:29:31 -0500 Subject: [PATCH] Simplify dashboard section to load one YAML instead of three --- slides/k8s/dashboard.md | 157 ++++++---------------------------------- 1 file changed, 24 insertions(+), 133 deletions(-) diff --git a/slides/k8s/dashboard.md b/slides/k8s/dashboard.md index b742492f..ccfc8f4b 100644 --- a/slides/k8s/dashboard.md +++ b/slides/k8s/dashboard.md @@ -2,88 +2,60 @@ - Kubernetes resources can also be viewed with a web dashboard -- We are going to deploy that dashboard with *three commands:* +- That dashboard is usually exposed over HTTPS - 1) actually *run* the dashboard + (this requires obtaining a proper TLS certificate) - 2) bypass SSL for the dashboard +- Dashboard users need to authenticate - 3) bypass authentication for the dashboard +- We are going to take a *dangerous* shortcut --- +--- -There is an additional step to make the dashboard available from outside (we'll get to that) +## The insecure method --- +- We could (and should) use [Let's Encrypt](https://letsencrypt.org/) ... + +- ... but we don't want to deal with TLS certificates + +- We could (and should) learn how authentication and authorization work ... + +- ... but we will use a guest account with admin access instead .footnote[.warning[Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.]] --- -## 1) Running the dashboard +## Running a very insecure dashboard -- We need to create a *deployment* and a *service* for the dashboard +- We are going to deploy that dashboard with *one single command* -- But also a *secret*, a *service account*, a *role* and a *role binding* +- This command will create all the necessary resources -- All these things can be defined in a YAML file and created with `kubectl apply -f` + (the dashboard itself, the HTTP wrapper, the admin/guest account) + +- All these resources are defined in a YAML file + +- All we have to do is load that YAML file with with `kubectl apply -f` .exercise[ - Create all the dashboard resources, with the following command: ```bash - kubectl apply -f ~/container.training/k8s/kubernetes-dashboard.yaml + kubectl apply -f ~/container.training/k8s/insecure-dashboard.yaml ``` ] --- - -## 2) Bypassing SSL for the dashboard - -- The Kubernetes dashboard uses HTTPS, but we don't have a certificate - -- Recent versions of Chrome (63 and later) and Edge will refuse to connect - - (You won't even get the option to ignore a security warning!) - -- We could (and should!) get a certificate, e.g. with [Let's Encrypt](https://letsencrypt.org/) - -- ... But for convenience, for this workshop, we'll forward HTTP to HTTPS - -.warning[Do not do this at home, or even worse, at work!] - ---- - -## Running the SSL unwrapper - -- We are going to run [`socat`](http://www.dest-unreach.org/socat/doc/socat.html), telling it to accept TCP connections and relay them over SSL - -- Then we will expose that `socat` instance with a `NodePort` service - -- For convenience, these steps are neatly encapsulated into another YAML file - -.exercise[ - -- Apply the convenient YAML file, and defeat SSL protection: - ```bash - kubectl apply -f ~/container.training/k8s/socat.yaml - ``` - -] - -.warning[All our dashboard traffic is now clear-text, including passwords!] - ---- - ## Connecting to the dashboard .exercise[ - Check which port the dashboard is on: ```bash - kubectl -n kube-system get svc socat + kubectl get svc dashboard ``` ] @@ -113,26 +85,7 @@ The dashboard will then ask you which authentication you want to use. - "skip" (use the dashboard "service account") -- Let's use "skip": we get a bunch of warnings and don't see much - ---- - -## 3) Bypass authentication for the dashboard - -- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges) - -- We just need to load another YAML file! - -.exercise[ - -- Grant admin privileges to the dashboard so we can see our resources: - ```bash - kubectl apply -f ~/container.training/k8s/grant-admin-to-dashboard.yaml - ``` - -- Reload the dashboard and enjoy! - -] +- Let's use "skip": we're logged in! -- @@ -140,68 +93,6 @@ The dashboard will then ask you which authentication you want to use. --- -## Exposing the dashboard over HTTPS - -- We took a shortcut by forwarding HTTP to HTTPS inside the cluster - -- Let's expose the dashboard over HTTPS! - -- The dashboard is exposed through a `ClusterIP` service (internal traffic only) - -- We will change that into a `NodePort` service (accepting outside traffic) - -.exercise[ - -- Edit the service: - ``` - kubectl edit service kubernetes-dashboard - ``` - -] - --- - -`NotFound`?!? Y U NO WORK?!? - ---- - -## Editing the `kubernetes-dashboard` service - -- If we look at the [YAML](https://github.com/jpetazzo/container.training/blob/master/k8s/kubernetes-dashboard.yaml) that we loaded before, we'll get a hint - --- - -- The dashboard was created in the `kube-system` namespace - --- - -.exercise[ - -- Edit the service: - ```bash - kubectl -n kube-system edit service kubernetes-dashboard - ``` - -- Change type `type:` from `ClusterIP` to `NodePort`, save, and exit - - - -- Check the port that was assigned with `kubectl -n kube-system get services` - -- Connect to https://oneofournodes:3xxxx/ (yes, https) - -] - ---- - ## Running the Kubernetes dashboard securely - The steps that we just showed you are *for educational purposes only!*