# The Kubernetes dashboard

## Introduction

• Kubernetes resources can also be viewed with a web dashboard

• That dashboard is usually exposed over HTTPS

(this requires obtaining a proper TLS certificate)

• Dashboard users need to authenticate

• We are going to take a dangerous shortcut

## The insecure method

• We could (and should) use Let's Encrypt ...

• ... but we don't want to deal with TLS certificates

• We could (and should) learn how authentication and authorization work ...

• ... but we will use a guest account with admin access instead

Yes, this will open our cluster to all kinds of shenanigans. Don't do this at home.

## Running a very insecure dashboard

• We are going to deploy that dashboard with one single command

• This command will create all the necessary resources

(the dashboard itself, the HTTP wrapper, the admin/guest account)

• All these resources are defined in a YAML file

• All we have to do is load that YAML file with with kubectl apply -f

### Exercise

• Create all the dashboard resources, with the following command:

kubectl apply -f ~/container.training/k8s/insecure-dashboard.yaml


## Connecting to the dashboard

### Exercise

• Check which port the dashboard is on:

kubectl get svc dashboard


You'll want the 3xxxx port.

### Exercise

The dashboard will then ask you which authentication you want to use.

## Dashboard authentication

• We have three authentication options at this point:

• token (associated with a role that has appropriate permissions)

• kubeconfig (e.g. using the ~/.kube/config file from node1)

• "skip" (use the dashboard "service account")

• Let's use "skip": we're logged in!

By the way, we just added a backdoor to our Kubernetes cluster!

# Security implications of kubectl apply

• When we do kubectl apply -f <URL>, we create arbitrary resources

• Resources can be evil; imagine a deployment that ...

• starts bitcoin miners on the whole cluster
• hides in a non-default namespace
• bind-mounts our nodes' filesystem
• inserts SSH keys in the root account (on the node)
• encrypts our data and ransoms it
• ☠️☠️☠️

## kubectl apply is the new curl | sh

• curl | sh is convenient

• It's safe if you use HTTPS URLs from trusted sources

• kubectl apply -f is convenient

• It's safe if you use HTTPS URLs from trusted sources

• Example: the official setup instructions for most pod networks

• It introduces new failure modes (like if you try to apply yaml from a link that's no longer valid)