In my previous post, I showed how anyone could install a Kubernetes cluster locally using Canonical's microk8s.
This post picks up where the last ended. Before I start looking at deploying software to my local cluster, I need to do some additional configuration.
Note: I've aliased
microk8sasm8sandmicrok8s kubectlask8s.
Kubernetes Dashboard
The Kubernetes Dashboard is a web interface that makes discovery and simple observability straightforward. microk8s provides a dashboard package that you can install with:
m8s enable dashboard
To view the dashboard, use the dashboard proxy command:
m8s dashboard-proxy
To open the dashboard, ctrl+click the URL in the console. Bypass your browser's complaint that the certificate is invalid*, copy the token at the end of the output, and use that to authenticate when prompted in the browser.
Role-Based Authentication Control (RBAC)
What is it?
Though Kubernetes is usable without it, RBAC allows you to practice good security hygiene and work in an environment closer to production clusters.
If you're not familiar, RBAC consists of the following:
- service accounts
- roles
- role bindings
Since you can bind multiple roles to a service account, this is a very flexible way to add or remove sets of permissions to an account.
Enabling RBAC
Enabling RBAC is simple:
microk8s enable rbac
Fixing The Dashboard Account's Permissions
Installing RBAC and the dashboard will create a service account for kubernetes-dashboard. To see a list of service accounts that includes this new account, issue:
k8s get sa -n kube-system
To see the other RBAC resources created for us to make the dashboard accessible, issue the following:
Lists Cluster Roles
k8s get clusterroles -n kube-system | grep dashboard
Lists Role Bindings
k8s get clusterrolebindings -n kube-system | grep dashboard
Unfortunately, the permissions granted to the kubernetes-dashboard account through the cluster role kubernetes-dashboard are so restrictive that we won't get much visibility into what's already there.
Rather than dive into the specifics of each manifest, I've put a new clusterrole, clusterrole-binding, and token file into a gist you can use to:
- Create a new cluster role named
kubernetes-dashboard-readonly - Create a cluster role binding named
kubernetes-dashboard-readonly - Create an authentication token for the
kubernetes-dashboardaccount
Save the contents of the gist to ./read-only-dashboard.yml and then run the command:
k8s create -f ./read-only-dashboard.yml
To retrieve the token for login with the kubernetes-dashboard use:
k8s describe secrets -n kube-system kubernetes-dashboard-token
Copy the value following token and use this to log into the dashboard. The first sign of success is that the namespaces drop-down in the top bar has more than default.
Help With Custom Roles
Finding a list of the available API groups and their related resources with their allowed verbs has been a headache. There is a built-in command that will provide a tab-delimited table:
k8s api-resources -o wide
To make this easier to consume (for myself), I put this in a Google Sheet and sorted it by the API Group and Resource Name columns. You can view it here.
Up Next
In my next post, I plan to add the Kubernetes Ingress NGINX Controller and demonstrate how this creates a reverse proxy and load balancer for services we may want to expose outside the cluster.
*Known Issues With Self-Signed Certificate
Following these directions on a machine that does not allow you to proceed to an HTTPS URL with a self-signed certificate will prevent you from viewing the dashboard.
In the next post, I'll look at ways to get a valid certificate for an ingress controller.
Resources
Gist: Read-only Dashboard Role
Kubernetes API Groups and Resources
Top comments (0)