Once Dashboard is installed and accessible we can focus on configuring access control to the cluster resources for users.
Kubernetes supports few ways of authenticating and authorizing users. You can read about them here and here. Authorization is handled by Kubernetes API server. Dashboard only acts as a proxy and passes all auth information to it. In case of forbidden access corresponding warnings will be displayed in Dashboard.
getandupdatepermissions to the Config Map used as settings storage.- Default name:
kubernetes-dashboard-settings. Can be changed via--settings-config-map-nameargument. - Default namespace:
kubernetes-dashboard. Can be changed via--namespaceargument.
- Default name:
getpermission forservices/proxyin order to allow dashboard metrics scraper to gather metrics.- Default service name:
kubernetes-dashboard-metrics-scraper. Can be changed via--metrics-scraper-service-nameargument. - Default namespace
kubernetes-dashboard. Can be changed via--namespaceargument.
- Default service name:
get,listandwatchpermissions formetrics.k8s.ioAPI in order to allow dashboard metrics scraper to gather metrics from themetrics-server.
Kubernetes Dashboard supports two different ways of authenticating users:
- Authorization header passed in every request to Dashboard. Supported from release 1.6. Has the highest priority. If present, login view will be skipped.
- Bearer Token that can be used on Dashboard login view.
In case you are using the latest recommended installation then login functionality will be enabled by default. In any other case and if you prefer to configure certificates manually you need to pass --tls-cert-file and --tls-cert-key flags to Dashboard. HTTPS endpoint will be exposed on port 8443 of Dashboard container. You can change it by providing --port flag.
Using authorization header is the only way to make Dashboard act as an user, when accessing it over HTTP. Note that there are some risks since plain HTTP traffic is vulnerable to MITM attacks.
To make Dashboard use authorization header you simply need to pass Authorization: Bearer <token> in every request to Dashboard. This can be achieved i.e. by configuring reverse proxy in front of Dashboard. Proxy will be responsible for authentication with identity provider and will pass generated token in request header to Dashboard. Note that Kubernetes API server needs to be configured properly to accept these tokens.
To quickly test it check out Requestly Chrome browser plugin that allows to manually modify request headers.
IMPORTANT: Authorization header will not work if Dashboard is accessed through API server proxy. Both kubectl proxy and API Server way of accessing Dashboard described in Accessing Dashboard guide will not work. It is due to the fact that once request reaches API server all additional headers are dropped.
It is recommended to get familiar with Kubernetes authentication documentation first to find out how to get token, that can be used to login. In example every Service Account has a Secret with valid Bearer Token that can be used to login to Dashboard.
Recommended lecture to find out how to create Service Account and grant it privileges:
To create sample user and to get its token, see Creating sample user guide.
Copyright 2019 The Kubernetes Dashboard Authors