Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add error dialog when user tries to login with kubectl proxy to some other address (not localhost) #2580

Open
Theoooooo opened this issue Nov 15, 2017 · 12 comments
Open

Add error dialog when user tries to login with kubectl proxy to some other address (not localhost) #2580

Theoooooo opened this issue Nov 15, 2017 · 12 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@Theoooooo
Copy link

Hi,
Dashboard is used inside my kubernetes cluster.
Everything is working in my cluster and i'm accessing my dashboard with the kubectl proxy command.
I want to create new serviceaccount to access my dashboard without grant full access to the kubernetes-dashboard user which is not secure at all.

Steps to reproduce

I create a new service account and grant him full access to the cluster.
Whem i'm going to the dashboard login menu, i enter the token of my serviceaccount and click on "Sign In". But nothing happened. And i don't have any error. Soo i supose the token is valid and the UI recognise the token. But the authentification is not going further.

Observed result

I can't login with my token. Nothing happened

I'm stuck for the moment. I will update if i found something.
@maciaszczykm
Copy link
Member

Check #2540 (comment).

@floreks Are we able to display some kind of dialog here?

@Theoooooo
Copy link
Author

@maciaszczykm
How to ? ^^
I'm not a confirmed user in kubernetes

@Theoooooo
Copy link
Author

Theoooooo commented Nov 15, 2017
edited

@maciaszczykm Ha i found it. Here it is. I try to log 2 times in with my token here. It's a bit messy sorry ^^ (PS : it's a token from the serviceaccount i created)
2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 172.16.56.4:41578: {} 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 POST /api/v1/login request from 172.16.56.4:41578: { "kubeConfig": "", "password": "", "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoZW8tYWRtbi10b2tlbi0yZ3o0bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGVvLWFkbW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzNDk1MjdiYi1jOGZhLTExZTctYWYyNC0wMDUwNTY5OTUxOWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0aGVvLWFkbW4ifQ.PCRSH5YXwd0AXAoFLpnQfCNJTvtZqGvuwEa_lRI9pdz8fOse0SzkG4yaUzP51V1MM40zdwMtyMvMag-CgZsu0l0wqxmqBn3_pOzDOx1ksg6FKR3lplimaIqhdoYx7encz6Rog60LqdxJFSuSz2bGKfnL4KzSKDG2J9Wq3M850PNRG9pY4t8t0Iwa6uKTGXBDOK_chGN9zrRx6uEu9ou6NchHV8lRWxDaUs4vbgbPlLgo9zyR8EDYOVl0Knk9hw-OCY0-MgYk8-lY7UJsxEeHS6i6bXgnOa7xZo2VKpl5Y_PkUO3O71B3NZz5lo4_troy4kk-0vaHekCC9XcmusWVIQ", "username": "" } 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 172.16.56.4:41578: {} 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 172.16.56.4:41578: {} 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 POST /api/v1/login request from 172.16.56.4:41578: { "kubeConfig": "", "password": "", "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoZW8tYWRtbi10b2tlbi0yZ3o0bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGVvLWFkbW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzNDk1MjdiYi1jOGZhLTExZTctYWYyNC0wMDUwNTY5OTUxOWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0aGVvLWFkbW4ifQ.PCRSH5YXwd0AXAoFLpnQfCNJTvtZqGvuwEa_lRI9pdz8fOse0SzkG4yaUzP51V1MM40zdwMtyMvMag-CgZsu0l0wqxmqBn3_pOzDOx1ksg6FKR3lplimaIqhdoYx7encz6Rog60LqdxJFSuSz2bGKfnL4KzSKDG2J9Wq3M850PNRG9pY4t8t0Iwa6uKTGXBDOK_chGN9zrRx6uEu9ou6NchHV8lRWxDaUs4vbgbPlLgo9zyR8EDYOVl0Knk9hw-OCY0-MgYk8-lY7UJsxEeHS6i6bXgnOa7xZo2VKpl5Y_PkUO3O71B3NZz5lo4_troy4kk-0vaHekCC9XcmusWVIQ", "username": "" } 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 172.16.56.4:41578: {} 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code

@Theoooooo
Copy link
Author

Theoooooo commented Nov 15, 2017
edited

I also grant ClusterRole : cluster-admin to my serviceaccount to access the cluster (it it's the right way to do it ) :
` apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: theo-admin
labels:
k8s-app: theo-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:

  • kind: ServiceAccount
    name: theo-admin
    namespace: default `

@Theoooooo
Copy link
Author

Theoooooo commented Nov 15, 2017
edited

@maciaszczykm
Ok i just read the #2540 (comment).
The fact is i can't access my dashboard with https. I got SSL_ERROR_RX_RECORD_TOO_LONG everytime and i don't know how to access my dashboard without a kubectl proxy. My dashboard is a pod inside my master server. I can't expose it on the outside because it's not a service.

I'm just stuck here

@floreks
Copy link
Member

floreks commented Nov 15, 2017
edited

@floreks Are we able to display some kind of dialog here?

Probably. This code prevents you from logging in.

@Theoooooo Exposing Dashboard publicly using kubectl proxy --address is usually not a good idea. That is why we are blocking this. You can run kubectl proxy and access Dashboard at localhost:8001/... domain.

@Theoooooo
Copy link
Author

@floreks How can i access this code ? i have no idea :/

@floreks
Copy link
Member

floreks commented Nov 16, 2017

@Theoooooo You have to expose (using kubectl proxy) and access Dashboard locally (localhost or 127.0.0.1 domain). We will add inform dialog that will explain why this is blocked when user tries to access it not in a secure way.

@maciaszczykm maciaszczykm changed the title Can't login with serviceaccount token to the dashboard Add error dialog when user tries to login with kubectl proxy to some other address (not localhost) Nov 16, 2017
@Theoooooo
Copy link
Author

@floreks
But can i access this code and modify this value myself ? I don't really want to be on the local computer to connect with serviceaccount tokens. Maybe i need to find an another way with bearen token

@floreks
Copy link
Member

floreks commented Nov 20, 2017
edited

https://github.com/kubernetes/dashboard/wiki/Getting-started

You can build and deploy your own version of Dashboard. We do not support accessing Dashboard in a non-secure way (via login page).

@floreks floreks closed this as completed Nov 20, 2017
@floreks floreks reopened this Nov 20, 2017
@xychu
Copy link

xychu commented Nov 24, 2017

@floreks or could we add one config option for this?

@floreks
Copy link
Member

floreks commented Nov 28, 2017
edited

I'd rather not do this as it is not secure. Traffic from other device to the device that exposes API using kubectl proxy -address xxx will be unencrypted and easy to hijack. It's a security risk.

We can add dialog to inform user why this is not possible.

@maciaszczykm maciaszczykm added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. labels Feb 27, 2018
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/enhancement labels Jun 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xychu @floreks @maciaszczykm @k8s-ci-robot @Theoooooo