6

So the idea is Kubernetes dashboard accesses Kubernetes API to give us beautiful visualizations of different 'kinds' running in the Kubernetes cluster and the method by which we access the Kubernetes dashboard is by the proxy mechanism of the Kubernetes API which can then be exposed to a public host for public access.

My question would be is there any possibility that we can access Kubernetes API proxy mechanism for some other service inside a Kubernetes cluster via that publically exposed address of Kubernetes Dashboard?

Arpit Goyal
  • 2,212
  • 11
  • 31

3 Answers3

4

Sure you can. So after you set up your proxy with kubectl proxy, you can access the services with this format:

http://localhost:8001/api/v1/namespaces/kube-system/services/<service-name>:<port-name>/proxy/

For example for http-svc and port name http:

http://localhost:8001/api/v1/namespaces/default/services/http-svc:http/proxy/

Note: it's not necessarily for public access, but rather a proxy for you to connect from your public machine (say your laptop) to a private Kubernetes cluster.

Rico
  • 58,485
  • 12
  • 111
  • 141
  • this one I know.. I was asking lets say I have hosted a kubernetes dashboard to a private cluster using ingress at xxx.yyy.com. Is there any method by which I can access kubernetes api using host xxx.yyy.com? – Arpit Goyal Oct 10 '18 at 05:23
1

You can do it by changing your service to NodePort:

$ kubectl -n kube-system edit service kubernetes-dashboard

You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.

Note: This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. Certificates used by kubeconfig file to contact API Server can be used.

Please check the following articles and URLs for better understanding:

Stackoverflow thread

Accessing Dashboard 1.7.X and above

Deploying a publicly accessible Kubernetes Dashboard

How to access kubernetes dashboard from outside cluster

Hope it will help you!

Vit
  • 7,740
  • 15
  • 40
0

Exposing Kubernetes Dashboard not secure at all , but your answer is about K8s API Server that need to be accessible by external services.

The right answer differs according your platform and infrastructure , but as general points

  • [Network Security] Limit IP public reachability to K8s API Servers(s) / Load balancer if exist as a white list mechanism
  • [Network Security] Private-to-Private reachability is better like vpn or AWS PrivateLink
  • [ API Security ] Limit Privileges by clusterrole/role to enforce RBAC , better to keep it ReadOnly verbs { Get , List }
  • [ API Security ] enable audit logging for k8s components to keep track of events and actions
Tamer Elfeky
  • 100
  • 4