Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dashboard login not authorized while --enable-insecure-login and protocolHttp options are set to true #5612

Closed
kn0wl3dge opened this issue Oct 8, 2020 · 3 comments
Closed

Dashboard login not authorized while --enable-insecure-login and protocolHttp options are set to true #5612

kn0wl3dge opened this issue Oct 8, 2020 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@kn0wl3dge
Copy link

Environment

I am building a kubernetes cluster composed of one master and two workers nodes using OpenSuse Kubic distro.

Installation method: Helm Chart (kubernetes-dashboard-2.8.1)
Kubernetes version: v1.19.2
Dashboard version: v2.0.4
Operating system: Opensuse Kubic
Node.js version ('node --version' output): Not Installed
Go version ('go version' output): Not Installed
Steps to reproduce

Create a values.yaml file containing the following lines :

protocolHttp: true
extraArgs:
  - --enable-insecure-login=true
ingress:
  enabled: true
  path: /
  host: dashboard.kn0wledge.lan

Deploy the dashboard using helm :

helm install k8s-dashboard kubernetes-dashboard/kubernetes-dashboard \
	--namespace kubernetes-dashboard \
	-f values.yaml
Observed result

Kubectl results :

master-01:~ # kubectl get pods -n kubernetes-dashboard
NAME                                                  READY   STATUS    RESTARTS   AGE
k8s-dashboard-kubernetes-dashboard-7d75c67879-kr89x   1/1     Running   0          17h
master-01:~ # kubectl describe pods -n kubernetes-dashboard
Name:         k8s-dashboard-kubernetes-dashboard-7d75c67879-kr89x
Namespace:    kubernetes-dashboard
Priority:     0
Node:         worker-02/192.168.0.62
Start Time:   Wed, 07 Oct 2020 23:27:08 +0000
Labels:       app.kubernetes.io/component=kubernetes-dashboard
              app.kubernetes.io/instance=k8s-dashboard
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=kubernetes-dashboard
              app.kubernetes.io/version=2.0.4
              helm.sh/chart=kubernetes-dashboard-2.8.1
              pod-template-hash=7d75c67879
Annotations:  seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status:       Running
IP:           10.40.0.4
IPs:
  IP:           10.40.0.4
Controlled By:  ReplicaSet/k8s-dashboard-kubernetes-dashboard-7d75c67879
Containers:
  kubernetes-dashboard:
    Container ID:  cri-o://1bf0b7f78e9df5a80006368dd2935763da2732f31e3220161f2589d0b477db83
    Image:         kubernetesui/dashboard:v2.0.4
    Image ID:      docker.io/kubernetesui/dashboard@sha256:23f11302695679d55ae7342a5ce89ff5cf636ccebf59b866325b092197938dbe
    Port:          9090/TCP
    Host Port:     0/TCP
    Args:
      --namespace=kubernetes-dashboard
      --enable-insecure-login=true
    State:          Running
      Started:      Thu, 08 Oct 2020 03:33:00 +0000
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     2
      memory:  200Mi
    Requests:
      cpu:        100m
      memory:     200Mi
    Liveness:     http-get http://:9090/ delay=30s timeout=30s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /certs from kubernetes-dashboard-certs (rw)
      /tmp from tmp-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from k8s-dashboard-kubernetes-dashboard-token-rbm7v (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  kubernetes-dashboard-certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  k8s-dashboard-kubernetes-dashboard-certs
    Optional:    false
  tmp-volume:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  k8s-dashboard-kubernetes-dashboard-token-rbm7v:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  k8s-dashboard-kubernetes-dashboard-token-rbm7v
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:          <none>

Message obtained while accessing dashboard.kn0wledge.lan

Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more here .
Expected result

I should be able to login to the dashboard as the "--enable-insecure-login" and "protocolHttp" options are set to true.

Comments

I'm not able to login through the k8s dashboard in HTTP with the "--enable-insecure-login" and "protocolHttp" options enabled.
I also tried juste setting "--enable-insecure-login" instead of "--enable-insecure-login=true" in extravalues.
Enabling the skip login option did not work neither.

Thanks for your time.
@kn0wl3dge kn0wl3dge added the kind/bug Categorizes issue or PR as related to a bug. label Oct 8, 2020
@floreks
Copy link
Member

floreks commented Oct 8, 2020

@kn0wl3dge
Dashboard arguments
image

It does not say that you will be allowed to log in over HTTP. It only says that when Dashboard is not served over HTTPS the login screen will still be enabled. Sign-in will always be restricted to HTTP(S) + localhost or HTTPS and external domains as described in the error message that you see on the login screen.

This argument is for people that want to use reverse OAuth proxy as a user-facing part so that Dashboard can run on HTTP, but the proxy will still expose it over HTTPS in the end. Everything works correctly here.

/close

@k8s-ci-robot
Copy link
Contributor

@floreks: Closing this issue.

In response to this:

@kn0wl3dge
Dashboard arguments
image

It does not say that you will be allowed to log in over HTTP. It only says that when Dashboard is not served over HTTPS the login screen will still be enabled. Sign-in will always be restricted to HTTP(S) + localhost or HTTPS and external domains as described in the error message that you see on the login screen.

This argument is for people that want to use reverse OAuth proxy as a user-facing part so that Dashboard can run on HTTP, but the proxy will still expose it over HTTPS in the end. Everything works correctly here.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@shibumi
Copy link

shibumi commented Jan 6, 2021

@floreks wouldn't it make sense to rename the arg then? I ran into the same issue and in my opinion the argument has the wrong name. enable insecure login sounds for me like I am able to login over plain HTTP.

What the argument is actually doing: enable login view, even if the dashboard is served over HTTP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@floreks @shibumi @kn0wl3dge @k8s-ci-robot