The Kubernetes dashboard
- Introduction
- The insecure method
- Running a very insecure dashboard
- Connecting to the dashboard
- Dashboard authentication
- Running the Kubernetes dashboard securely
kubectl apply
is the newcurl | sh
Introduction
Kubernetes resources can also be viewed with a web dashboard
That dashboard is usually exposed over HTTPS
(this requires obtaining a proper TLS certificate)
Dashboard users need to authenticate
We are going to take a dangerous shortcut
The insecure method
We could (and should) use Let's Encrypt ...
... but we don't want to deal with TLS certificates
We could (and should) learn how authentication and authorization work ...
... but we will use a guest account with admin access instead
Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.
Running a very insecure dashboard
We are going to deploy that dashboard with one single command
This command will create all the necessary resources
(the dashboard itself, the HTTP wrapper, the admin/guest account)
All these resources are defined in a YAML file
All we have to do is load that YAML file with with
kubectl apply -f
Exercise
Create all the dashboard resources, with the following command:
kubectl apply -f ~/container.training/k8s/insecure-dashboard.yaml
Connecting to the dashboard
Exercise
Check which port the dashboard is on:
kubectl get svc dashboard
You'll want the 3xxxx
port.
Exercise
- Connect to http://oneofournodes:3xxxx/
The dashboard will then ask you which authentication you want to use.
Dashboard authentication
We have three authentication options at this point:
token (associated with a role that has appropriate permissions)
kubeconfig (e.g. using the
~/.kube/config
file fromnode1
)"skip" (use the dashboard "service account")
Let's use "skip": we're logged in!
By the way, we just added a backdoor to our Kubernetes cluster!
Running the Kubernetes dashboard securely
The steps that we just showed you are for educational purposes only!
If you do that on your production cluster, people can and will abuse it
For an in-depth discussion about securing the dashboard,
check this excellent post on Heptio's blog
Security implications of kubectl apply
When we do
kubectl apply -f <URL>
, we create arbitrary resourcesResources can be evil; imagine a
deployment
that ...- starts bitcoin miners on the whole cluster
- hides in a non-default namespace
- bind-mounts our nodes' filesystem
- inserts SSH keys in the root account (on the node)
- encrypts our data and ransoms it
- ☠️☠️☠️
kubectl apply
is the new curl | sh
curl | sh
is convenientIt's safe if you use HTTPS URLs from trusted sources
kubectl apply -f
is convenientIt's safe if you use HTTPS URLs from trusted sources
Example: the official setup instructions for most pod networks
- It introduces new failure modes (like if you try to apply yaml from a link that's no longer valid)