diff --git a/docs/user/access-control/README.md b/docs/user/access-control/README.md index 476e1f7f6786..5ebbbd878f34 100644 --- a/docs/user/access-control/README.md +++ b/docs/user/access-control/README.md @@ -1,48 +1,33 @@ # Access control -Once Dashboard is installed and accessible we can focus on configuring access control to the cluster resources for users. As of release 1.7 Dashboard no longer has full admin privileges granted by default. All the privileges are revoked and only [minimal privileges granted](#default-dashboard-privileges), that are required to make Dashboard work. - -**IMPORTANT:** This note is only directed to people using Dashboard 1.7 and above. In case Dashboard is accessible only by trusted set of people, all with full admin privileges you may want to grant it [admin privileges](#admin-privileges). Note that other applications should not access Dashboard directly as it may cause privileges escalation. Make sure that in-cluster traffic is restricted to namespaces or just revoke access to Dashboard for other applications inside the cluster. +Once Dashboard is installed and accessible we can focus on configuring access control to the cluster resources for users. ## Introduction -Kubernetes supports few ways of authenticating and authorizing users. You can read about them [here](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) and [here](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Authorization is handled by Kubernetes API server. Dashboard only acts as a proxy and passes all auth information to it. In case of forbidden access corresponding warnings will be displayed in Dashboard. +Kubernetes supports few ways of authenticating and authorizing users. +You can read about them [here](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) and +[here](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Authorization is handled by Kubernetes API server. +Dashboard only acts as a proxy and passes all auth information to it. In case of forbidden access corresponding warnings will be displayed in Dashboard. ## Default Dashboard privileges -### v1.7 - -* `create` and `watch` permissions for secrets in `kube-system` namespace required to create and watch for changes of `kubernetes-dashboard-key-holder` secret. -* `get`, `update` and `delete` permissions for secrets named `kubernetes-dashboard-key-holder` and `kubernetes-dashboard-certs` in `kube-system` namespace. -* `proxy` permission to `heapster` service in `kube-system` namespace required to allow getting metrics from heapster. - -### v1.8 - -* `create` permission for secrets in `kube-system` namespace required to create `kubernetes-dashboard-key-holder` secret. -* `get`, `update` and `delete` permissions for secrets named `kubernetes-dashboard-key-holder` and `kubernetes-dashboard-certs` in `kube-system` namespace. -* `get` and `update` permissions for config map named `kubernetes-dashboard-settings` in `kube-system` namespace. -* `proxy` permission to `heapster` service in `kube-system` namespace required to allow getting metrics from heapster. - -### v1.10 - -_T.B.D._ - -### v2.0 - -_T.B.D._ +* `get`, `update` and `delete` permissions for Secrets named `kubernetes-dashboard-key-holder`, `kubernetes-dashboard-certs` and `kubernetes-dashboard-csrf` in `kubernetes-dashboard` namespace. +* `get` and `update` permissions for the Config Map named `kubernetes-dashboard-settings` in `kubernetes-dashboard` namespace. +* `get` permission for `services/proxy` in order to allow `heapster` and `dashboard-metrics-scraper` services in `kubernetes-dashboard` namespace required to gather metrics. +* `get`, `list` and `watch` permissions for `metrics.k8s.io` API in order to allow `dashboard-metrics-scraper` to gather metrics from the `metrics-server`. ## Authentication -As of release 1.7 Dashboard supports user authentication based on: +Kubernetes Dashboard supports a few different ways of authenticating users: -* [`Authorization: Bearer `](#authorization-header) header passed in every request to Dashboard. Supported from release 1.6. Has the highest priority. If present, login view will not be shown. +* [Authorization header](#authorization-header) passed in every request to Dashboard. Supported from release 1.6. Has the highest priority. If present, login view will be skipped. * [Bearer Token](#bearer-token) that can be used on Dashboard [login view](#login-view). * [Username/password](#basic) that can be used on Dashboard [login view](#login-view). * [Kubeconfig](#kubeconfig) file that can be used on Dashboard [login view](#login-view). ### Login view -Login view has been introduced in release 1.7. In case you are using the latest recommended installation then login functionality will be enabled by default. In any other case and if you prefer to configure certificates manually you need to pass `--tls-cert-file` and `--tls-cert-key` flags to Dashboard. HTTPS endpoint will be exposed on port `8443` of Dashboard container. You can change it by providing `--port` flag. +In case you are using the latest recommended installation then login functionality will be enabled by default. In any other case and if you prefer to configure certificates manually you need to pass `--tls-cert-file` and `--tls-cert-key` flags to Dashboard. HTTPS endpoint will be exposed on port `8443` of Dashboard container. You can change it by providing `--port` flag. Using `Skip` option will make Dashboard use privileges of Service Account used by Dashboard. `Skip` button is disabled by default since 1.10.1. Use `--enable-skip-login` dashboard flag to display it. @@ -68,42 +53,8 @@ Recommended lecture to find out how to create Service Account and grant it privi * [Role and ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) * [Service Account Permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions) -#### Sample Bearer Token - To create sample user and to get its token, see [Creating sample user](./creating-sample-user.md) guide. -#### Getting token with `kubectl` - -There are many Service Accounts created in Kubernetes by default. All with different access permissions. In order to find any token, that can be used to login we'll use `kubectl`: - -``` -# Check existing secrets in kubernetes-dashboard namespace -$ kubectl -n kubernetes-dashboard get secret -NAME TYPE DATA AGE -default-token-2pjhm kubernetes.io/service-account-token 3 81m -kubernetes-dashboard-certs Opaque 0 81m -kubernetes-dashboard-csrf Opaque 1 81m -kubernetes-dashboard-key-holder Opaque 2 81m -kubernetes-dashboard-token-x9nd8 kubernetes.io/service-account-token 3 81m - -$ kubectl -n kubernetes-dashboard describe secrets kubernetes-dashboard-token-x9nd8 -Name: kubernetes-dashboard-token-x9nd8 -Namespace: kubernetes-dashboard -Labels: -Annotations: kubernetes.io/service-account.name: kubernetes-dashboard - kubernetes.io/service-account.uid: 2140a425-447f-437f-9966-24ab4e57217a - -Type: kubernetes.io/service-account-token - -Data -==== -token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi14OW5kOCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIxNDBhNDI1LTQ0N2YtNDM3Zi05OTY2LTI0YWI0ZTU3MjE3YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.oSOjJZpQq-yiAIQWM12gFpVA6jiJz8-zApC0Wbet9iwzflmCVFlT1lWjEEduKMnJOF-viJ4fwLixA3INfCxDgWIBmxEvoA-R6ExQNkmFi4ljGdBX98fI2B4WFuqWIPoEjqf1l3eXHKmXgqbiMYA-UH_Ih4m2-aKKO3dfkmc5HmPP1ZjotCQKGpcq60c1y-SASqbC_FC3LHvp0l5N9bfhAOraNC_34ZlL3zkQ6cAL6mZG8Ci1MuXMHTH9g04QaVZb14f6BAY-K2X-Z5yDpMr4Zs5h6DOc_18sysf4uOVyo0wMXfI9gLsda-e3zX_5W39piBj-PwfBwBGslC_JztTCSQ -ca.crt: 1066 bytes -namespace: 20 bytes -``` - -We can now use printed `token` to login to Dashboard. To find out more about how to configure and use Bearer Tokens, please read [Introduction](#introduction) section. - ### Basic Basic authentication is disabled by default. The reason is that Kubernetes API server needs to be configured with authorization mode ABAC and `--basic-auth-file` flag provided. Without that API server automatically falls back to [anonymous user](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests) and there is no way to check if provided credentials are valid. diff --git a/docs/user/access-control/creating-sample-user.md b/docs/user/access-control/creating-sample-user.md index 64a3ac8295ce..bfffe9f95655 100644 --- a/docs/user/access-control/creating-sample-user.md +++ b/docs/user/access-control/creating-sample-user.md @@ -6,7 +6,7 @@ In this guide, we will find out how to create a new user using Service Account m For each of the following snippets for `ServiceAccount` and `ClusterRoleBinding`, you should copy them to new manifest files like `dashboard-adminuser.yaml` and use `kubectl apply -f dashboard-adminuser.yaml` to create them. -## Create Service Account +## Creating a Service Account We are creating Service Account with name `admin-user` in namespace `kubernetes-dashboard` first. @@ -18,9 +18,10 @@ metadata: namespace: kubernetes-dashboard ``` -## Create ClusterRoleBinding +## Creating a ClusterRoleBinding -In most cases after provisioning our cluster using `kops` or `kubeadm` or any other popular tool, the `ClusterRole` `cluster-admin` already exists in the cluster. We can use it and create only `ClusterRoleBinding` for our `ServiceAccount`. +In most cases after provisioning cluster using `kops`, `kubeadm` or any other popular tool, the `ClusterRole` `cluster-admin` already exists in the cluster. We can use it and create only `ClusterRoleBinding` for our `ServiceAccount`. +If it does not exist then you need to create this role first and grant required privileges manually. **NOTE:** `apiVersion` of `ClusterRoleBinding` resource may differ between Kubernetes versions. Prior to Kubernetes `v1.8` the `apiVersion` was `rbac.authorization.k8s.io/v1beta1`. @@ -39,7 +40,7 @@ subjects: namespace: kubernetes-dashboard ``` -## Bearer Token +## Getting a Bearer Token Now we need to find token we can use to log in. Execute following command: @@ -72,7 +73,7 @@ namespace: 20 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXY1N253Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMzAzMjQzYy00MDQwLTRhNTgtOGE0Ny04NDllZTliYTc5YzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.Z2JrQlitASVwWbc-s6deLRFVk5DWD3P_vjUFXsqVSY10pbjFLG4njoZwh8p3tLxnX_VBsr7_6bwxhWSYChp9hwxznemD5x5HLtjb16kI9Z7yFWLtohzkTwuFbqmQaMoget_nYcQBUC5fDmBHRfFvNKePh_vSSb2h_aYXa8GV5AcfPQpY7r461itme1EXHQJqv-SN-zUnguDguCTjD80pFZ_CmnSE1z9QdMHPB8hoB4V68gtswR1VLa6mSYdgPwCHauuOobojALSaMc3RH7MmFUumAgguhqAkX3Omqd3rJbYOMRuMjhANqd08piDC3aIabINX6gP5-Tuuw2svnV6NYQ ``` -Now copy the token and paste it into `Enter token` field on login screen. +Now copy the token and paste it into `Enter token` field on the login screen. ![Sing in](../../images/signin.png) diff --git a/docs/user/accessing-dashboard/1.6.x-and-below.md b/docs/user/accessing-dashboard/1.6.x-and-below.md deleted file mode 100644 index 37c7702a0cbe..000000000000 --- a/docs/user/accessing-dashboard/1.6.x-and-below.md +++ /dev/null @@ -1,90 +0,0 @@ -# Accessing Dashboard 1.6.x and below - -## `kubectl proxy` - -`kubectl proxy` creates proxy server between your machine and Kubernetes API server. By default it is only accessible locally (from the machine that started it). - -First let's check if `kubectl` is properly configured and has access to the cluster. In case of error follow [this guide](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to install and set up `kubectl`. - -``` -$ kubectl cluster-info -# Example output -Kubernetes master is running at https://192.168.30.148:6443 -Heapster is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/heapster/proxy -KubeDNS is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy - -To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. -``` - -Start local proxy server. - -``` -$ kubectl proxy -Starting to serve on 127.0.0.1:8001 -``` - -Once proxy server is started you should be able to access Dashboard from your browser at: `http://localhost:8001/api/v1/namespaces/kube-system/services/http:kubernetes-dashboard:/proxy/`. - -## NodePort - -This way of accessing Dashboard is only recommended for development environments in a single node setup. - -Edit `kubernetes-dashboard` service. - -``` -$ kubectl -n kube-system edit service kubernetes-dashboard -``` - -You should see `yaml` representation of the service. Change `type: ClusterIP` to `type: NodePort` and save file. If it's already changed go to next step. - -``` -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file will be -# reopened with the relevant failures. -# -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: 2017-09-11T08:00:46Z - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system - resourceVersion: "1300" - selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard - uid: 51392867-96c7-11e7-87e0-901b0e532516 -spec: - clusterIP: 10.103.169.125 - externalTrafficPolicy: Cluster - ports: - - port: 80 - protocol: TCP - targetPort: 9090 - selector: - k8s-app: kubernetes-dashboard - sessionAffinity: None - type: ClusterIP -status: - loadBalancer: {} -``` - -Next we need to check port on which Dashboard was exposed. - -``` -$ kubectl -n kube-system get service kubernetes-dashboard -NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE -kubernetes-dashboard 10.103.169.125 80:32703/TCP 1d -``` - -Dashboard has been exposed on a port `32703`. Now you can access it from your browser at: `http://:32703`. `master-ip` can be found by executing `kubectl cluster-info`. Usually it is either `127.0.0.1` or IP of your machine, assuming that you cluster is running directly on the machine, on which these commands are executed. - -## API Server - -In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: `http(s)://:/api/v1/namespaces/kube-system/services/http:kubernetes-dashboard:/proxy/`. - -## Ingress - -Dashboard can be also exposed using Ingress resource. For more information check: https://kubernetes.io/docs/concepts/services-networking/ingress. - ----- -_Copyright 2019 [The Kubernetes Dashboard Authors](https://github.com/kubernetes/dashboard/graphs/contributors)_ diff --git a/docs/user/accessing-dashboard/1.7.x-and-above.md b/docs/user/accessing-dashboard/1.7.x-and-above.md deleted file mode 100644 index 468708798d7f..000000000000 --- a/docs/user/accessing-dashboard/1.7.x-and-above.md +++ /dev/null @@ -1,106 +0,0 @@ -# Accessing Dashboard 1.7.x and above - -**IMPORTANT:** HTTPS endpoints are only available if you used [Recommended Setup](../installation.md#recommended-setup), followed [Getting Started](../../../README.md#getting-started) guide to deploy Dashboard or manually provided `--tls-key-file` and `--tls-cert-file` flags. In case you did not and you access Dashboard over HTTP, then Dashboard can be accessed the same way as [older versions](./1.6.x-and-below.md). - -**NOTE:** Dashboard should not be exposed publicly over HTTP. For domains accessed over HTTP it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page. - -## `kubectl proxy` - -`kubectl proxy` creates proxy server between your machine and Kubernetes API server. By default it is only accessible locally (from the machine that started it). - -First let's check if `kubectl` is properly configured and has access to the cluster. In case of error follow [this guide](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to install and set up `kubectl`. - -``` -$ kubectl cluster-info -# Example output -Kubernetes master is running at https://192.168.30.148:6443 -KubeDNS is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy - -To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. -``` - -Start local proxy server. - -``` -$ kubectl proxy -Starting to serve on 127.0.0.1:8001 -``` - -Once the proxy server is started you should be able to access Dashboard from your browser. - -To access the HTTPS endpoint of dashboard go to: `http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/` - -NOTE: Dashboard should not be exposed publicly using `kubectl proxy` command as it only allows HTTP connection. For domains other than `localhost` and `127.0.0.1` it will not be possible to sign in. Nothing will happen after clicking `Sign in` button on login page. - -## `kubectl port-forward` - -Instead of `kubectl proxy`, you can use `kubectl port-forward` and access dashboard with simpler URL than using `kubectl proxy`. - -``` -kube@minikube:~$ kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 10443:443 -Forwarding from 127.0.0.1:10443 -> 8443 -``` - -## NodePort - -This way of accessing Dashboard is only recommended for development environments in a single node setup. - -Edit `kubernetes-dashboard` service. - -``` -$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard -``` - -You should see `yaml` representation of the service. Change `type: ClusterIP` to `type: NodePort` and save file. If it's already changed go to next step. - -``` -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file will be -# reopened with the relevant failures. -# -apiVersion: v1 -... - name: kubernetes-dashboard - namespace: kubernetes-dashboard - resourceVersion: "343478" - selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard - uid: 8e48f478-993d-11e7-87e0-901b0e532516 -spec: - clusterIP: 10.100.124.90 - externalTrafficPolicy: Cluster - ports: - - port: 443 - protocol: TCP - targetPort: 8443 - selector: - k8s-app: kubernetes-dashboard - sessionAffinity: None - type: ClusterIP -status: - loadBalancer: {} -``` - -Next we need to check port on which Dashboard was exposed. - -``` -$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -kubernetes-dashboard NodePort 10.100.124.90 443:31707/TCP 21h -``` - -Dashboard has been exposed on port `31707 (HTTPS)`. Now you can access it from your browser at: `https://:31707`. `master-ip` can be found by executing `kubectl cluster-info`. Usually it is either `127.0.0.1` or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed. - -In case you are trying to expose Dashboard using `NodePort` on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing `https://:` you should access `https://:`. - -## API Server - -In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: `https://:/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/` - -**Note:** This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. In example certificates used by kubeconfig file to contact API Server can be used. - -## Ingress - -Dashboard can be also exposed using Ingress resource. For more information check: https://kubernetes.io/docs/concepts/services-networking/ingress. - ----- -_Copyright 2019 [The Kubernetes Dashboard Authors](https://github.com/kubernetes/dashboard/graphs/contributors)_ diff --git a/docs/user/accessing-dashboard/README.md b/docs/user/accessing-dashboard/README.md index f534cfc42c1a..afca827c1aa5 100644 --- a/docs/user/accessing-dashboard/README.md +++ b/docs/user/accessing-dashboard/README.md @@ -1,11 +1,126 @@ # Accessing Dashboard -Once Dashboard is installed on your cluster it can be accessed in a few different ways. Note that this document does not describe all possible ways of accessing cluster applications. In case of any error while trying to access Dashboard, please first read our [FAQ](../../common/faq.md) and check [closed issues](https://github.com/kubernetes/dashboard/issues?q=is%3Aissue+is%3Aclosed). In most cases errors are caused by cluster configuration issues. +Once Dashboard has been installed in your cluster it can be accessed in a few different ways. Note that this document does not describe all possible ways of accessing cluster applications. +In case of any error while trying to access Dashboard, please first read our [FAQ](../../common/faq.md) and check [closed issues](https://github.com/kubernetes/dashboard/issues?q=is%3Aissue+is%3Aclosed). +In most cases errors are caused by cluster configuration issues. -Choose version of Dashboard you are using to get information about how to access it: +## Introduction +This document only describes the basic ways of accessing Kubernetes Dashboard [Recommended Setup](../installation.md#recommended-setup) deployment. It will also work if you have used recommended setup +with your custom certificates. If you have decided to follow the [Alternative Setup](../installation.md#alternative-setup) path, then the only difference is that instead of exposing Dashboard over HTTPS, it is exposed over HTTP by default. +As the alternative setup is recommended for advanced users only, we'll not describe in detail how to use it here. -* [1.7.x and above](1.7.x-and-above.md) -* [1.6.x and below](1.6.x-and-below.md) +## `kubectl proxy` + +`kubectl proxy` creates a proxy server between your machine and Kubernetes API server. By default, it is only accessible locally (from the machine that started it). + +First let's check if `kubectl` is properly configured and has access to the cluster. In case of error follow [this guide](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to install and set up `kubectl`. + +``` +$ kubectl cluster-info +# Example output +Kubernetes master is running at https://192.168.30.148:6443 +KubeDNS is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy + +To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. +``` + +Start local proxy server. + +``` +$ kubectl proxy +Starting to serve on 127.0.0.1:8001 +``` + +Once the proxy server has been started you should be able to access Dashboard from your browser. + +To access the HTTPS endpoint of dashboard go to: +```bash +http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ +``` + +## `kubectl port-forward` + +Instead of `kubectl proxy`, you can use `kubectl port-forward` and access dashboard with simpler URL than using `kubectl proxy`. + +```bash +$ kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8080:443 +``` + +To access Kubernetes Dashboard go to: +```bash +https://localhost:8080 +``` + +## NodePort + +This way of accessing Dashboard is only recommended for development environments in a single node setup. + +Edit `kubernetes-dashboard` service. + +``` +$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard +``` + +You should see `yaml` representation of the service. Change `type: ClusterIP` to `type: NodePort` and save file. If it's already changed go to next step. + +``` +# Please edit the object below. Lines beginning with a '#' will be ignored, +# and an empty file will abort the edit. If an error occurs while saving this file will be +# reopened with the relevant failures. +# +apiVersion: v1 +... + name: kubernetes-dashboard + namespace: kubernetes-dashboard + resourceVersion: "343478" + selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard + uid: 8e48f478-993d-11e7-87e0-901b0e532516 +spec: + clusterIP: 10.100.124.90 + externalTrafficPolicy: Cluster + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} +``` + +Next we need to check port on which Dashboard was exposed. + +``` +$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +kubernetes-dashboard NodePort 10.100.124.90 443:31707/TCP 21h +``` + +Dashboard has been exposed on port `31707 (HTTPS)`. Now you can access it from your browser at: `https://:31707`. `master-ip` can be found by executing `kubectl cluster-info`. Usually it is either `127.0.0.1` or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed. + +In case you are trying to expose Dashboard using `NodePort` on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing `https://:` you should access `https://:`. + +## API Server + +In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: `https://:/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/` + +**Note:** This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. In example, certificates used by the kubeconfig file to contact API Server can be used. + +## Ingress + +Dashboard can be also exposed using Ingress resource. For more information check: https://kubernetes.io/docs/concepts/services-networking/ingress. + +## Login not available +If your login view displays below error, this means that you are trying to log in over HTTP and it has been disabled for the security reasons. + +Logging in is available only if URL used to access Dashboard starts with: + - `http://localhost/...` + - `http://127.0.0.1/...` + - `https:///...` + +![Login disabled](../images/dashboard-login-disabled.png "Login disabled") ---- _Copyright 2019 [The Kubernetes Dashboard Authors](https://github.com/kubernetes/dashboard/graphs/contributors)_ diff --git a/docs/user/images/dashboard-login-disabled.png b/docs/user/images/dashboard-login-disabled.png new file mode 100644 index 000000000000..a331406ad820 Binary files /dev/null and b/docs/user/images/dashboard-login-disabled.png differ diff --git a/docs/user/installation.md b/docs/user/installation.md index fb64896db246..d747900c14d8 100644 --- a/docs/user/installation.md +++ b/docs/user/installation.md @@ -1,9 +1,5 @@ -# Installation - ## Official release -**IMPORTANT:** Before upgrading from older version of Dashboard to 1.7+ make sure to delete Cluster Role Binding for `kubernetes-dashboard` Service Account, otherwise Dashboard will have full admin access to the cluster. - ### Quick setup The fastest way of deploying Dashboard has been described in our [README](../../README.md). It is destined for people that are new to Kubernetes and want to quickly start using Dashboard. Other possible setups for more experienced users, that want to know more about our deployment procedure can be found below. diff --git a/i18n/de/messages.de.xlf b/i18n/de/messages.de.xlf index 6ab47301fe71..78940f2cadca 100644 --- a/i18n/de/messages.de.xlf +++ b/i18n/de/messages.de.xlf @@ -3117,6 +3117,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -3126,7 +3144,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -3138,7 +3156,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/fr/messages.fr.xlf b/i18n/fr/messages.fr.xlf index cae594cfb230..d35864cbe257 100644 --- a/i18n/fr/messages.fr.xlf +++ b/i18n/fr/messages.fr.xlf @@ -3127,6 +3127,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -3136,7 +3154,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -3148,7 +3166,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/ja/messages.ja.xlf b/i18n/ja/messages.ja.xlf index 4f3da486c351..ac0fb12186e6 100644 --- a/i18n/ja/messages.ja.xlf +++ b/i18n/ja/messages.ja.xlf @@ -2890,6 +2890,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -2897,7 +2915,7 @@ サインイン ../src/app/frontend/login/template.html - 120 + 125 @@ -2907,7 +2925,7 @@ スキップ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/ko/messages.ko.xlf b/i18n/ko/messages.ko.xlf index ecc01bf45ca8..be09a5a5e082 100644 --- a/i18n/ko/messages.ko.xlf +++ b/i18n/ko/messages.ko.xlf @@ -2948,6 +2948,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -2957,7 +2975,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -2969,7 +2987,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/messages.xlf b/i18n/messages.xlf index ed9b4646df28..4f7a21d12ff0 100644 --- a/i18n/messages.xlf +++ b/i18n/messages.xlf @@ -4570,13 +4570,25 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in ../src/app/frontend/login/template.html - 120 + 125 @@ -4585,7 +4597,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/zh-Hans/messages.zh-Hans.xlf b/i18n/zh-Hans/messages.zh-Hans.xlf index ca36737c09a8..238277f8d0d7 100644 --- a/i18n/zh-Hans/messages.zh-Hans.xlf +++ b/i18n/zh-Hans/messages.zh-Hans.xlf @@ -2948,6 +2948,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -2957,7 +2975,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -2969,7 +2987,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/zh-Hant-HK/messages.zh-Hant-HK.xlf b/i18n/zh-Hant-HK/messages.zh-Hant-HK.xlf index 7418b3239e0c..75c3d4f26d2c 100644 --- a/i18n/zh-Hant-HK/messages.zh-Hant-HK.xlf +++ b/i18n/zh-Hant-HK/messages.zh-Hant-HK.xlf @@ -2952,6 +2952,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -2961,7 +2979,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -2973,7 +2991,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/i18n/zh-Hant/messages.zh-Hant.xlf b/i18n/zh-Hant/messages.zh-Hant.xlf index 67f48a3efdeb..4fe57043122a 100644 --- a/i18n/zh-Hant/messages.zh-Hant.xlf +++ b/i18n/zh-Hant/messages.zh-Hant.xlf @@ -2952,6 +2952,24 @@ 99 + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more + + here + . + + + ../src/app/frontend/login/template.html + 109 + + Sign in @@ -2961,7 +2979,7 @@ ../src/app/frontend/login/template.html - 120 + 125 @@ -2973,7 +2991,7 @@ ../src/app/frontend/login/template.html - 129 + 134 diff --git a/src/app/frontend/common/services/global/authentication.ts b/src/app/frontend/common/services/global/authentication.ts index f59a5f68c0b5..21d54d2e0009 100644 --- a/src/app/frontend/common/services/global/authentication.ts +++ b/src/app/frontend/common/services/global/authentication.ts @@ -34,6 +34,14 @@ import {KdStateService} from './state'; export class AuthService { private readonly _config = CONFIG; + get allowedProtocol(): string { + return 'https'; + } + + get domainWhitelist(): string[] { + return ['localhost', '127.0.0.1']; + } + constructor( private readonly cookies_: CookieService, private readonly router_: Router, diff --git a/src/app/frontend/login/component.spec.ts b/src/app/frontend/login/component.spec.ts index 82b03933b76a..f90b0c3ff552 100644 --- a/src/app/frontend/login/component.spec.ts +++ b/src/app/frontend/login/component.spec.ts @@ -64,6 +64,14 @@ class MockAuthService { } skipLoginPage(): void {} + + get allowedProtocol(): string { + return 'https'; + } + + get domainWhitelist(): string[] { + return ['localhost', '127.0.0.1']; + } } class MockRouter { diff --git a/src/app/frontend/login/component.ts b/src/app/frontend/login/component.ts index 5ce2cf6e0e5d..5f98f22cbc8b 100644 --- a/src/app/frontend/login/component.ts +++ b/src/app/frontend/login/component.ts @@ -116,6 +116,12 @@ export class LoginComponent implements OnInit { return this.isLoginSkippable_; } + isLoginEnabled(): boolean { + return this.authService_.domainWhitelist.indexOf(location.hostname) > -1 + ? true + : location.protocol === this.authService_.allowedProtocol; + } + onChange(event: Event & KdFile): void { switch (this.selectedAuthenticationMode) { case LoginModes.Kubeconfig: diff --git a/src/app/frontend/login/template.html b/src/app/frontend/login/template.html index 77eb5db4b194..47122760d7dc 100644 --- a/src/app/frontend/login/template.html +++ b/src/app/frontend/login/template.html @@ -100,15 +100,19 @@ i18n-label (onLoad)="onChange($event)"> - + +