2

I wanted to visit my dashboard on a local Kubernetes installation (using docker for mac). I was 'blocked'. I have to provide a token or my config which is normal since the RBAC updates.

Now I don't want to kubectl proxy or enable port forwarding every time I want to visit my dashboard so I installed an nginx proxy with a ingress (tls) which redirects me to https://kubernetes-dashboard.kube-system.svc.cluster.local:443.

This works fine but now I'm a bit confused because I can see the dashboard now, without facing the RBAC issue.

I read this here:

To make Dashboard use authorization header you simply need to pass Authorization: Bearer in every request to Dashboard. This can be achieved i.e. by configuring reverse proxy in front of Dashboard. Proxy will be responsible for authentication with identity provider and will pass generated token in request header to Dashboard. Note that Kubernetes API server needs to be configured properly to accept these tokens.

But it's still not very clear for me. Can someone explain we why I can see the dashboard when I create a proxy in front of it?

DenCowboy
  • 13,884
  • 38
  • 114
  • 210
  • https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/blob/6dfbed743a3c36b96e72f1bdfe36c5b81350cbdf/docs/troubleshooting.md might help – VonC Jul 29 '18 at 14:27
  • 1
    Can you please Post your https settings in nginx? What is your configuration below location / {.....}. Cheers ch – Mchoeti Apr 12 '19 at 14:06

1 Answers1

0

Proxy is usually needed to transfer data between different segments of the network without connecting them directly. Each segment of the network is "talking" to proxy host without any knowledge of the existence of the other network segment.

The Proxy Server is responsible for all negotiations and operations concerning requests and response packets. So, to enable authentication, authorization, SSL termination and many other things you need to configure your proxy server according to your needs.

If you can see the kubernetes dashboard via proxy in front of it it just means that you did not configure any security on that proxy.

For example, to learn how to configure Nginx Ingress to protect a service with basic authentication in your cluster consider to read this article.

For more complex security setup read the article about securing Kubernetes services with Ingress, TLS and LetsEncrypt.

VAS
  • 8,538
  • 1
  • 28
  • 39
  • Well, I was able to use tls (selfsigned certs) on the nginx ingress proxy and using htpasswd to authenticate, so that part works okay. I got redirected to https and need to provide credentials, after that I got redirected to the dashboard. But what I don't understand is why I'm not confronted anymore with the 'provide config' or 'provide bearer token' etc which I need to provide when I visit the dashboard using kubectl port-forward – DenCowboy Jul 30 '18 at 16:40
  • Perhaps it is because the access token is cached in browser cookie. – VAS Jul 31 '18 at 11:09
  • Here is a good article about accessing Kubernetes dashboard using API Server: http://www.joseluisgomez.com/containers/kubernetes-dashboard/ – VAS Jul 31 '18 at 12:36