- Show
kubectl proxy
Things are now locked down by default. Try to upload kubeconfig. Talk certs vs. tokens. Skip login... nothing works.
- Let's get UI working!
Option 1: Give UI SA with admin. Don't do this!
Option 2: Get some sort of token. Without external authn mechanism, use SA token.
kubectl create sa my-dashboard-sa
kubectl create clusterrolebinding my-dashboard-sa --clusterrole=cluster-admin --serviceaccount=default:my-dashboard-sa
kubectl get secrets
kubectl describe secret my-dashboard-sa-token-dkz2j
- Expose this to users?
Expose directly? Not a good idea. Defense in depth. What if the console had a bug?
Expose with nodeport? Works great as long as users have access to the node. Often not the case without VPN and/or with cloud. Talk BeyondCorp.
Expose behind validating proxy? Yes! Let's do that next.
kubectl create secret generic k8s-dashboard-oauth-secrets \
-o yaml --dry-run \
-n kube-system \
--from-literal=client-id=c65d2f658c05aacf2f35 \
--from-literal=client-secret=8b9ae8d9eee6ce756d4894aca85df19b90d0aa22 \
--from-literal=cookie=$(python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))')
- Future? It would be great if we could have the UI be an OAuth client and use that with custom authn provider.