3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/kubernetes-dashboard.md
Alex Fornuto 64d50613af
DOCS: keyword tag updates (#2922) 
* replace "zero-trust" with "zero trust"

* fix and update all keyword tags
2022-01-11 12:36:47 -06:00

112 lines
5.1 KiB
Markdown
Raw Blame History

---
title: Kubernetes Dashboard
lang: en-US
meta:
- name: keywords
content: pomerium, identity access proxy, kubernetes, helm, k8s, oauth, dashboard,
description: >-
This guide covers how to add authentication and authorization to kubernetes dashboard using single-sing-on, pomerium, helm, and letsencrypt certificates.
---
# Securing Kubernetes Dashboard
The following guide covers how to secure [Kubernetes Dashboard] using Pomerium. Kubernetes Dashboard is a powerful, web-based UI for managing Kubernetes clusters. Pomerium can act as an independent **identity-aware access proxy** improving and adding single-sign-on to Kubernetes Dashboard's default access control. This is in contrast to most deployments, which use static tokens for access.
![fresh kubernetes dashboard install](./img/k8s-fresh-dashboard.png)
This tutorial covers:
- Deploying [Kubernetes Dashboard] using [Helm]
- Establishing secure Kubernetes Dashboard access through Pomerium
## Before You Begin
This guide builds off of existing articles and guides. It assumes you have deployed Pomerium to your cluster using our Helm charts, configured a certificate solution like [cert-manager], and set up secure access to the Kubernetes API. Follow the instructions in these pages before you continue:
- [Install Pomerium using Helm]
- [Securing Kubernetes]
## Background
Though securing [Kubernetes Dashboard] as an example may seem contrived, the damages caused by an unsecured dashboard is a real threat vector. In late 2018, Tesla [determined](https://redlock.io/blog/cryptojacking-tesla) that the hackers who were running [crypto-mining malware](https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/) on their cloud accounts came in through an unsecured [Kubernetes Dashboard] instance.
![tesla hacked from kubernetes dashboard](./img/k8s-tesla-hacked.png)
## Install Kubernetes Dashboard
[Kubernetes Dashboard] is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
Use [Helm] to install a new instance of [Kubernetes Dashboard] :
```bash
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard\
--set ingress.enabled="false"
```
That's it. We've now configured the Kubernetes Dashboard in our cluster. We've also explicitly told Helm that we are going to deploy our own custom access to the service through Pomerium instead of a standard ingress.
## Add a Route
Following the configuration defined in [Install Pomerium using Helm], add a route for the Kubernetes Dashboard.
1. Modify `pomerium-values.yaml` with the following route:
```yaml
- from: https://dashboard.localhost.pomerium.io
to: https://kubernetes-dashboard.default.svc.cluster.local
allow_spdy: true
tls_skip_verify: true
kubernetes_service_account_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
policy:
- allow:
or:
- domain:
is: pomerium.com
```
The service account token used for `kubernetes_service_account_token_file` is defined by our [helm chart]. Modify the policy to match your configuration.
1. Access to the dashboard for a user is authorized by the cluster role binding defined in role-based access control (**RBAC**) permissions. Following the [User Permissions] section of [Securing Kubernetes], you should already have permissions for your user, or you can create a new RBAC definition following this example (`rbac-someuser.yaml`):
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: someuser@example.com
```
Apply the permissions with `kubectl apply -f rbac-someuser.yaml`.
1. Apply the new route to Pomerium with Helm:
```bash
helm upgrade --install pomerium pomerium/pomerium --values pomerium-values.yaml
```
## Conclusion
Because we've defined RBAC for our users, they can authenticate with Pomerium and Kubernetes will recognize that user in the Dashboard:
<video controls muted="" playsinline="" width="100%" height="600" control=""><source src="./img/k8s-dashboard-user.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
🎉🍾🎊 **Congratulations!** 🎉🍾🎊 You now have a single-sign-on enabled [Kubernetes Dashboard] protected by Pomerium.
[cert-manager]: https://cert-manager.io/docs/
[helm chart]: https://github.com/pomerium/pomerium-helm
[Helm]: https://helm.sh
[Install Pomerium using Helm]: /docs/k8s/helm.md
[Kubernetes Dashboard]: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
[Securing Kubernetes]: /guides/kubernetes.md
[User Permissions]: /guides/kubernetes.md#user-permissions
Reference in a new issue View git blame Copy permalink