3.4 KiB
The Kubernetes dashboard
-
Kubernetes resources can also be viewed with a web dashboard
-
We are going to deploy that dashboard with three commands:
-
one to actually run the dashboard
-
one to make the dashboard available from outside
-
one to bypass authentication for the dashboard
-
--
.footnote[.warning[Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.]]
Running the dashboard
-
We need to create a deployment and a service for the dashboard
-
But also a secret, a service account, a role and a role binding
-
All these things can be defined in a YAML file and created with
kubectl apply -f
.exercise[
- Create all the dashboard resources, with the following command:
kubectl apply -f https://goo.gl/Qamqab
]
The goo.gl URL expands to:
.small[https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml]
Making the dashboard reachable from outside
-
The dashboard is exposed through a
ClusterIPservice -
We need a
NodePortservice instead
.exercise[
- Edit the service:
kubectl edit service kubernetes-dashboard
]
--
NotFound?!? Y U NO WORK?!?
Editing the kubernetes-dashboard service
- If we look at the YAML that we loaded just before, we'll get a hint
--
- The dashboard was created in the
kube-systemnamespace
.exercise[
-
Edit the service:
kubectl -n kube-system edit service kubernetes-dashboard -
Change
ClusterIPtoNodePort, save, and exit -
Check the port that was assigned with
kubectl -n kube-system get services
]
Connecting to the dashboard
.exercise[
-
Connect to https://oneofournodes:3xxxx/
(You will have to work around the TLS certificate validation warning)
]
-
We have three authentication options at this point:
-
token (associated with a role that has appropriate permissions)
-
kubeconfig (e.g. using the
~/.kube/configfile fromnode1) -
"skip" (use the dashboard "service account")
-
-
Let's use "skip": we get a bunch of warnings and don't see much
Granting more rights to the dashboard
-
The dashboard documentation explains how to do
-
We just need to load another YAML file!
.exercise[
-
Grant admin privileges to the dashboard so we can see our resources:
kubectl apply -f https://goo.gl/CHsLTA -
Reload the dashboard and enjoy!
]
--
.warning[By the way, we just added a backdoor to our Kubernetes cluster!]
Security implications of kubectl apply
-
When we do
kubectl apply -f <URL>, we create arbitrary resources -
Resources can be evil; imagine a
deploymentthat ...
--
- starts bitcoin miners on the whole cluster
--
- hides in a non-default namespace
--
- bind-mounts our nodes' filesystem
--
- inserts SSH keys in the root account (on the node)
--
- encrypts our data and ransoms it
--
- ☠️☠️☠️
kubectl apply is the new curl | sh
-
curl | shis convenient -
It's safe if you use HTTPS URLs from trusted sources
--
-
kubectl apply -fis convenient -
It's safe if you use HTTPS URLs from trusted sources
--
-
It introduces new failure modes
-
Example: the official setup instructions for most pod networks