Skip to content
Snippets Groups Projects
Commit 0c6f172e authored by Chad Swenson's avatar Chad Swenson
Browse files

Kubernetes Dashboard v1.7.1 Refactor

This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
parent f9b68a5d
Branches
Tags
No related merge requests found
...@@ -93,18 +93,19 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati ...@@ -93,18 +93,19 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
Accessing Kubernetes Dashboard Accessing Kubernetes Dashboard
------------------------------ ------------------------------
If the variable `dashboard_enabled` is set (default is true) as well as As of kubernetes-dashboard v1.7.x:
kube_basic_auth (default is false), then you can * New login options that use apiserver auth proxying of token/basic/kubeconfig by default
access the Kubernetes Dashboard at the following URL: * Requires RBAC in authorization_modes
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL
https://kube:_kube-password_@_host_:6443/ui/ If the variable `dashboard_enabled` is set (default is true), then you can access the Kubernetes Dashboard at the following URL, You will be prompted for credentials:
https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
To see the password, refer to the section above, titled *Connecting to Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from:
Kubernetes*. The host can be any kube-master or kube-node or loadbalancer http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
(when enabled).
To access the Dashboard with basic auth disabled, follow the instructions here: It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#command-line-proxy
Accessing Kubernetes API Accessing Kubernetes API
------------------------ ------------------------
......
...@@ -143,7 +143,8 @@ helm_deployment_type: docker ...@@ -143,7 +143,8 @@ helm_deployment_type: docker
# K8s image pull policy (imagePullPolicy) # K8s image pull policy (imagePullPolicy)
k8s_image_pull_policy: IfNotPresent k8s_image_pull_policy: IfNotPresent
# Kubernetes dashboard (available at http://first_master:6443/ui by default) # Kubernetes dashboard
# RBAC required. see docs/getting-started.md for access details.
dashboard_enabled: true dashboard_enabled: true
# Monitoring apps for k8s # Monitoring apps for k8s
......
...@@ -41,7 +41,9 @@ netchecker_server_memory_requests: 64M ...@@ -41,7 +41,9 @@ netchecker_server_memory_requests: 64M
# Dashboard # Dashboard
dashboard_enabled: false dashboard_enabled: false
dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
dashboard_image_tag: v1.6.3 dashboard_image_tag: v1.7.1
dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
dashboard_init_image_tag: v1.0.1
# Limits for dashboard # Limits for dashboard
dashboard_cpu_limit: 100m dashboard_cpu_limit: 100m
......
--- ---
- name: Kubernetes Apps | Delete old kubernetes-dashboard resources
kube:
name: "kubernetes-dashboard"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{ item }}"
state: absent
with_items: ['ClusterRoleBinding']
tags:
- upgrade
- name: Kubernetes Apps | Lay down dashboard template - name: Kubernetes Apps | Lay down dashboard template
template: template:
src: "{{item.file}}" src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}"
with_items: with_items:
- {file: dashboard.yml.j2, type: deploy, name: netchecker-agent} - {file: dashboard.yml.j2, type: deploy, name: kubernetes-dashboard}
register: manifests register: manifests
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
......
# Copyright 2015 Google Inc. All Rights Reserved. # Copyright 2017 The Kubernetes Authors.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
...@@ -12,12 +12,25 @@ ...@@ -12,12 +12,25 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# Configuration to deploy head version of the Dashboard UI compatible with # Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.6 (RBAC enabled). # Kubernetes 1.7.
# #
# Example usage: kubectl create -f <this_file> # Example usage: kubectl create -f <this_file>
{% if rbac_enabled %} # ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: {{ system_namespace }}
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
...@@ -25,23 +38,77 @@ metadata: ...@@ -25,23 +38,77 @@ metadata:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-dashboard-minimal
namespace: {{ system_namespace }}
rules:
# Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "watch"]
- apiGroups: [""]
resources: ["secrets"]
# Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: RoleBinding
metadata: metadata:
name: kubernetes-dashboard name: kubernetes-dashboard-minimal
labels: namespace: {{ system_namespace }}
k8s-app: kubernetes-dashboard
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: Role
name: cluster-admin name: kubernetes-dashboard-minimal
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
{% endif %}
---
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
# Allows users to reach login page and other proxied dashboard URLs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-anonymous
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-anonymous
subjects:
- kind: User
name: system:anonymous
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment kind: Deployment
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
metadata: metadata:
...@@ -60,10 +127,15 @@ spec: ...@@ -60,10 +127,15 @@ spec:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
spec: spec:
initContainers:
- name: kubernetes-dashboard-init
image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
containers: containers:
- name: kubernetes-dashboard - name: kubernetes-dashboard
image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
# Image is tagged and updated with :head, so always pull it.
imagePullPolicy: Always imagePullPolicy: Always
resources: resources:
limits: limits:
...@@ -73,27 +145,45 @@ spec: ...@@ -73,27 +145,45 @@ spec:
cpu: {{ dashboard_cpu_requests }} cpu: {{ dashboard_cpu_requests }}
memory: {{ dashboard_memory_requests }} memory: {{ dashboard_memory_requests }}
ports: ports:
- containerPort: 9090 - containerPort: 8443
protocol: TCP protocol: TCP
args: args:
- --tls-key-file=/certs/dashboard.key
- --tls-cert-file=/certs/dashboard.crt
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
# Uncomment the following line to manually specify Kubernetes API server Host # Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect # If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work. # to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port # - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
readOnly: true
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe: livenessProbe:
httpGet: httpGet:
scheme: HTTPS
path: / path: /
port: 9090 port: 8443
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 30 timeoutSeconds: 30
{% if rbac_enabled %} volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard serviceAccountName: kubernetes-dashboard
{% endif %}
# Comment the following tolerations if Dashboard must not be deployed on master # Comment the following tolerations if Dashboard must not be deployed on master
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
--- ---
# ------------------- Dashboard Service ------------------- #
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
...@@ -103,8 +193,7 @@ metadata: ...@@ -103,8 +193,7 @@ metadata:
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
spec: spec:
ports: ports:
- port: 80 - port: 443
targetPort: 9090 targetPort: 8443
selector: selector:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
\ No newline at end of file
...@@ -78,3 +78,10 @@ ...@@ -78,3 +78,10 @@
that: ansible_swaptotal_mb == 0 that: ansible_swaptotal_mb == 0
when: kubelet_fail_swap_on|default(true) when: kubelet_fail_swap_on|default(true)
ignore_errors: "{{ ignore_assert_errors }}" ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when dashboard is enabled
assert:
that: rbac_enabled
when: dashboard_enabled
ignore_errors: "{{ ignore_assert_errors }}"
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment