4

I have a Kubernetes Cluster setup with below topology

I have deployed Kubernetes Dashboard on the cluster and able to access dashboard with kubectl proxy.

But when I try to access the Dashboard via Floating IP/VIP using the URL:

https://<FloatingIP>:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

I end up with the below response on the browser

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

I do understand that the issue is because of RBAC on Kubernetes and did some reading around this topic, but I am still unclear with what needs to be done to resolve this issue on a master clustered implementation. I was able to expose Dashboard successfully on a single master - multiple node setup with NodePort access, but that would fail with Clustered master setup.

I am also open to better suggestions on implementing Dashboard in this topology.

Please let me know if you need any additional information

Amit Kumar Gupta
  • 17,184
  • 7
  • 46
  • 64
Sujith Shajee
  • 175
  • 5
  • 18
  • Do you want to enable anonymous access to the dashboard, so that anyone who can reach the `FloatingIP` can see the dashboard? – Amit Kumar Gupta Sep 07 '19 at 02:18
  • @AmitKumarGupta - If there is option to access without enabling anonymous user, I would like to consider that. For now since floating IP is limited to internal subnet, I would proceed by taking the anonymous option provide below by Hang and restrict the verbs that are allowed. – Sujith Shajee Sep 07 '19 at 03:18
  • From one of the creators of Kubernetes: https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca. It talks about how to secure the dashboard. It also expresses the following sentiment that I strongly agree with: "Security isn’t just for production! In the world of infrastructure the intent of your cluster doesn’t matter." – Amit Kumar Gupta Sep 07 '19 at 03:49

1 Answers1

15

You will need to create a clusterrole to grant permission to kubernetes-dashboard and bind it to system:anonymous user as followed.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

Edit: To apply these changes, save it into a .yaml (e.g.: clusterrole.yaml) file and run

kubectl apply -f clusterrole.yaml
Sercan Samet Savran
  • 755
  • 1
  • 9
  • 20
Hang Du
  • 929
  • 6
  • 13
  • Thank you @HangDu for this solution. This is acceptable solution in my context. But if you have any insights on how to make this work in a Production setup, I would like to hear that as well. – Sujith Shajee Sep 07 '19 at 03:21
  • @SujithShajee I would limited the access to the floating IP from network layer, in the meantime, accessing dashboard service doesn't mean accessing dashboard util passing the authentication of the dashboard. – Hang Du Sep 07 '19 at 03:46
  • Was sitting to solve that since yesterday... You literally saved a lot of my time. Thank you so much. – Sercan Samet Savran Feb 03 '21 at 11:01
  • Yoo is this somewhere in the documentation, was looking for that role definition – zenin Apr 26 '21 at 13:03