New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Dashboard addon to version 1.8.0 and align /ui redirect with it #53046
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
labels: | ||
k8s-app: kubernetes-dashboard | ||
# Allows editing resource and makes sure it is created first. | ||
addonmanager.kubernetes.io/mode: EnsureExists | ||
name: kubernetes-dashboard-settings | ||
namespace: kube-system |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
labels: | ||
k8s-app: kubernetes-dashboard | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
name: kubernetes-dashboard-minimal | ||
namespace: kube-system | ||
rules: | ||
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
verbs: ["create"] | ||
# Allow Dashboard to get, update and delete Dashboard exclusive secrets. | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] | ||
verbs: ["get", "update", "delete"] | ||
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. | ||
- apiGroups: [""] | ||
resources: ["configmaps"] | ||
resourceNames: ["kubernetes-dashboard-settings"] | ||
verbs: ["get", "update"] | ||
# Allow Dashboard to get metrics from heapster. | ||
- apiGroups: [""] | ||
resources: ["services"] | ||
resourceNames: ["heapster"] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do you need There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if you want to support connecting to a secured Heapster, then yes, you explicitly need There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. opened kubernetes/dashboard#2622 to switch to service subresource and add policy for protocol-specific heapster calls There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think this blocks this PR, though There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Current version of Dashboard does not support connecting to secured Heapster. This can stay as it is. |
||
verbs: ["proxy"] | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: kubernetes-dashboard-minimal | ||
namespace: kube-system | ||
labels: | ||
k8s-app: kubernetes-dashboard | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: kubernetes-dashboard-minimal | ||
subjects: | ||
- kind: ServiceAccount | ||
name: kubernetes-dashboard | ||
namespace: kube-system |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
labels: | ||
k8s-app: kubernetes-dashboard | ||
# Allows editing resource and makes sure it is created first. | ||
addonmanager.kubernetes.io/mode: EnsureExists | ||
name: kubernetes-dashboard-certs | ||
namespace: kube-system | ||
type: Opaque |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,5 +11,5 @@ spec: | |
selector: | ||
k8s-app: kubernetes-dashboard | ||
ports: | ||
- port: 80 | ||
targetPort: 9090 | ||
- port: 443 | ||
targetPort: 8443 |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,7 +22,7 @@ import ( | |
"k8s.io/apiserver/pkg/server/mux" | ||
) | ||
|
||
const dashboardPath = "/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy" | ||
const dashboardPath = "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. there's no guarantee that the dashboard was deployed using the addon manifest... see discussion in #53766 and #56074 (comment) about why this should be removed, not perpetuated. Hardcoding a different value here does not make it more wrong, but also does not make it more correct. I still intend to include deprecation notes in 1.9 for the /ui redirect, sweep and remove references to it, and remove it in a future version. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @liggitt I can understand it. Can we update it just before to make it work or should it be kept broken?
I agree. We try to use HTTPS setup everywhere as recommended one. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1 to removing this, but I don't think it should block this PR. Can we release note that it will be going away in 1.10 and make this change for 1.9? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
That seems ok. Something like this?
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. |
||
|
||
// UIRedirect redirects /ui to the kube-ui proxy path. | ||
type UIRedirect struct{} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason not to create the
kubernetes-dashboard-key-holder
secret via manifest withEnsureExists
? wouldn't that remove the need for the dashboard to create the secret (it could just get/update the specifically named secrets)?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case it should work as addon manager will manage it. Normally, without this permission if secret would not exist Dashboard would not be able to start.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@floreks can the
kubernetes-dashboard-key-holder
be created empty via manifest, and this create permission removed? will the dashboard populate the empty secret?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately not. If empty secret is found then it will be deleted and during next resync period it is recreated from local copy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's unfortunate. this is ok for now, but I'd like to see that switch to an update and this permission get removed in a future update. can you open an issue for that and link it here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What in case dashboard won't be able to recreate it and someone deletes required secret? It will crash Dashboard for good until secret is restored. This would only work in case secret is managed by addon manager.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from the dashboard's perspective, if it's missing, creating seems ok. if it's empty, I'd expect population via update.
from this manifest's perspective, I'd rather not give secret create permission in the kube-system namespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. I have created issue for that kubernetes/dashboard#2629