Enable Access for Kubernetes Dashboard via external VIP or Floating IP

2
votes

I have a Kubernetes Cluster setup with below topology

I have deployed Kubernetes Dashboard on the cluster and able to access dashboard with kubectl proxy.

But when I try to access the Dashboard via Floating IP/VIP using the URL:

https://<FloatingIP>:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

I end up with the below response on the browser

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

I do understand that the issue is because of RBAC on Kubernetes and did some reading around this topic, but I am still unclear with what needs to be done to resolve this issue on a master clustered implementation. I was able to expose Dashboard successfully on a single master - multiple node setup with NodePort access, but that would fail with Clustered master setup.

I am also open to better suggestions on implementing Dashboard in this topology.

Please let me know if you need any additional information

1
kuberneteskubernetes-dashboardkubernetes-cluster
Do you want to enable anonymous access to the dashboard, so that anyone who can reach the FloatingIP can see the dashboard?Amit Kumar Gupta
@AmitKumarGupta - If there is option to access without enabling anonymous user, I would like to consider that. For now since floating IP is limited to internal subnet, I would proceed by taking the anonymous option provide below by Hang and restrict the verbs that are allowed.Sujith Shajee
From one of the creators of Kubernetes: blog.heptio.com/…. It talks about how to secure the dashboard. It also expresses the following sentiment that I strongly agree with: "Security isn’t just for production! In the world of infrastructure the intent of your cluster doesn’t matter."Amit Kumar Gupta

1 Answers

13
votes

You will need to create a clusterrole to grant permission to kubernetes-dashboard and bind it to system:anonymous user as followed.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

Edit: To apply these changes, save it into a .yaml (e.g.: clusterrole.yaml) file and run

kubectl apply -f clusterrole.yaml