0

How can i protect my Kubernetes Dashboard with a User/Pass from external access?

Create a Cluster using Minikubes in vm-driver=none mode.

Berndinox
  • 240
  • 1
  • 3
  • 11

1 Answers1

1

In Kubernetes, requests come as Authentication (credentials which determine who is talking to the API server) and Authorization (so the API server can determine if this user can perform the requested action). However, Kubernetes does not have users in the traditional meaning of that word (Kubernetes users are just strings associated with a request through credentials). The credential strategy is a choice you make while you install the cluster (you can choose from x509, password files, Bearer tokens, etc.).

As you have added that you want to create users while using --vm-driver=none I assume the dashboard and cluster itself is available in the network for everyone. Minikube is destined for local development and tests, it seems that it creates the role on your behalf. You can try to install regular Kubernetes cluster using kubeadm instead of using simplified version deployed with Minikube. After the minikube start minikube creates cluster role "kubernetes dashboard" and a token associated. So another possible solution would be to delete the Kubernetes Dashboard and install it from scratch following the instructions here with creating the user as it is described here you could also try creating new roles for the users but I did not have enough time to test this solution. Also, I would recommend you to use other tools for more complex tasks with Kubernetes - with kubeadm you could install the dashboard yourself, and configure it to suit your needs.

Further reading about Access Control in Kubernetes dashboard. Creating service account for the dashboard and get it’s credentials step 7:

  1. This command will create a service account for dashboard in the default namespace

$ kubectl create serviceaccount dashboard -n default

  1. This command will add the cluster binding rules to your dashboard account

$ kubectl create clusterrolebinding dashboard-admin -n default \
--clusterrole=cluster-admin \ --serviceaccount=default:dashboard

  1. This command will give you the token required for your dashboard login

$ kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

You should get a token. 4. Copy this token and paste it in Dashboard Login Page, by selecting token option

aurelius
  • 174
  • 4
  • Hy, thanks! Seems like i have to dig in a bit more! Just tought there may is a quick and dirty "hack" to create a user/pass for "dummie" users... :) – Berndinox Sep 06 '18 at 06:53