Kubernetes Dashboard v1.7.1 Refactor

This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
pull/1953/head
Chad Swenson 2017-11-09 15:59:30 -06:00
parent f9b68a5d17
commit 0c6f172e75
6 changed files with 142 additions and 32 deletions

View File

@ -93,18 +93,19 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
Accessing Kubernetes Dashboard Accessing Kubernetes Dashboard
------------------------------ ------------------------------
If the variable `dashboard_enabled` is set (default is true) as well as As of kubernetes-dashboard v1.7.x:
kube_basic_auth (default is false), then you can * New login options that use apiserver auth proxying of token/basic/kubeconfig by default
access the Kubernetes Dashboard at the following URL: * Requires RBAC in authorization_modes
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL
https://kube:_kube-password_@_host_:6443/ui/ If the variable `dashboard_enabled` is set (default is true), then you can access the Kubernetes Dashboard at the following URL, You will be prompted for credentials:
https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
To see the password, refer to the section above, titled *Connecting to Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from:
Kubernetes*. The host can be any kube-master or kube-node or loadbalancer http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
(when enabled).
To access the Dashboard with basic auth disabled, follow the instructions here: It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#command-line-proxy
Accessing Kubernetes API Accessing Kubernetes API
------------------------ ------------------------

View File

@ -143,7 +143,8 @@ helm_deployment_type: docker
# K8s image pull policy (imagePullPolicy) # K8s image pull policy (imagePullPolicy)
k8s_image_pull_policy: IfNotPresent k8s_image_pull_policy: IfNotPresent
# Kubernetes dashboard (available at http://first_master:6443/ui by default) # Kubernetes dashboard
# RBAC required. see docs/getting-started.md for access details.
dashboard_enabled: true dashboard_enabled: true
# Monitoring apps for k8s # Monitoring apps for k8s

View File

@ -41,7 +41,9 @@ netchecker_server_memory_requests: 64M
# Dashboard # Dashboard
dashboard_enabled: false dashboard_enabled: false
dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
dashboard_image_tag: v1.6.3 dashboard_image_tag: v1.7.1
dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
dashboard_init_image_tag: v1.0.1
# Limits for dashboard # Limits for dashboard
dashboard_cpu_limit: 100m dashboard_cpu_limit: 100m

View File

@ -1,10 +1,20 @@
--- ---
- name: Kubernetes Apps | Delete old kubernetes-dashboard resources
kube:
name: "kubernetes-dashboard"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{ item }}"
state: absent
with_items: ['ClusterRoleBinding']
tags:
- upgrade
- name: Kubernetes Apps | Lay down dashboard template - name: Kubernetes Apps | Lay down dashboard template
template: template:
src: "{{item.file}}" src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}"
with_items: with_items:
- {file: dashboard.yml.j2, type: deploy, name: netchecker-agent} - {file: dashboard.yml.j2, type: deploy, name: kubernetes-dashboard}
register: manifests register: manifests
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]

View File

@ -1,4 +1,4 @@
# Copyright 2015 Google Inc. All Rights Reserved. # Copyright 2017 The Kubernetes Authors.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -12,12 +12,25 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# Configuration to deploy head version of the Dashboard UI compatible with # Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.6 (RBAC enabled). # Kubernetes 1.7.
# #
# Example usage: kubectl create -f <this_file> # Example usage: kubectl create -f <this_file>
{% if rbac_enabled %} # ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: {{ system_namespace }}
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
@ -25,23 +38,77 @@ metadata:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-dashboard-minimal
namespace: {{ system_namespace }}
rules:
# Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "watch"]
- apiGroups: [""]
resources: ["secrets"]
# Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: RoleBinding
metadata: metadata:
name: kubernetes-dashboard name: kubernetes-dashboard-minimal
labels: namespace: {{ system_namespace }}
k8s-app: kubernetes-dashboard
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: Role
name: cluster-admin name: kubernetes-dashboard-minimal
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
{% endif %}
--- ---
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
# Allows users to reach login page and other proxied dashboard URLs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-anonymous
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-anonymous
subjects:
- kind: User
name: system:anonymous
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment kind: Deployment
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
metadata: metadata:
@ -60,10 +127,15 @@ spec:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
spec: spec:
initContainers:
- name: kubernetes-dashboard-init
image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
containers: containers:
- name: kubernetes-dashboard - name: kubernetes-dashboard
image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
# Image is tagged and updated with :head, so always pull it.
imagePullPolicy: Always imagePullPolicy: Always
resources: resources:
limits: limits:
@ -73,27 +145,45 @@ spec:
cpu: {{ dashboard_cpu_requests }} cpu: {{ dashboard_cpu_requests }}
memory: {{ dashboard_memory_requests }} memory: {{ dashboard_memory_requests }}
ports: ports:
- containerPort: 9090 - containerPort: 8443
protocol: TCP protocol: TCP
args: args:
- --tls-key-file=/certs/dashboard.key
- --tls-cert-file=/certs/dashboard.crt
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
# Uncomment the following line to manually specify Kubernetes API server Host # Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect # If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work. # to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port # - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
readOnly: true
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe: livenessProbe:
httpGet: httpGet:
scheme: HTTPS
path: / path: /
port: 9090 port: 8443
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 30 timeoutSeconds: 30
{% if rbac_enabled %} volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard serviceAccountName: kubernetes-dashboard
{% endif %}
# Comment the following tolerations if Dashboard must not be deployed on master # Comment the following tolerations if Dashboard must not be deployed on master
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
--- ---
# ------------------- Dashboard Service ------------------- #
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -103,8 +193,7 @@ metadata:
namespace: {{ system_namespace }} namespace: {{ system_namespace }}
spec: spec:
ports: ports:
- port: 80 - port: 443
targetPort: 9090 targetPort: 8443
selector: selector:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard

View File

@ -78,3 +78,10 @@
that: ansible_swaptotal_mb == 0 that: ansible_swaptotal_mb == 0
when: kubelet_fail_swap_on|default(true) when: kubelet_fail_swap_on|default(true)
ignore_errors: "{{ ignore_assert_errors }}" ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when dashboard is enabled
assert:
that: rbac_enabled
when: dashboard_enabled
ignore_errors: "{{ ignore_assert_errors }}"