Giter Club home page Giter Club logo

kubernetes-dashboard-proxy's Introduction

Kubernetes Dashboard Proxy CircleCI

DEPRECATED: This chart has been deprecated.

A Helm chart with keycloak-proxy to protect the Kubernetes Dashboard with OpenID Connect (OIDC) authentication.

diagram.png

TL;DR

You can install the charts as follows:

# Kubernetes Dashboard
helm install stable/kubernetes-dashboard --namespace kube-system --name kubernetes-dashboard

# Kubernetes Dashboard Proxy
helm repo add int128.github.io https://int128.github.io/helm-charts
helm repo update
helm install int128.github.io/kubernetes-dashboard-proxy --namespace kube-system --name kubernetes-dashboard-proxy -f kubernetes-dashboard-proxy.yaml

See also this article.

Getting Started with Keycloak

1. Setup Keycloak

Create an OIDC client as follows:

  • Client ID: kubernetes
  • Redirect URL: https://kubernetes-dashboard.example.com/oauth/callback
  • Issuer URL: https://keycloak.example.com/auth/realms/YOUR_REALM

You need to add the following mapper to include an aud claim (#8954:

  • Name: aud
  • Mapper Type: Audience
  • Included Client Audience: kubernetes

You can associate client roles by adding the following mapper:

  • Name: groups
  • Mapper Type: User Client Role
  • Client ID: kubernetes
  • Client Role prefix: kubernetes:
  • Token Claim Name: groups
  • Add to ID token: on

For example, if you have the admin role of the client, you will get a JWT with the claim {"groups": ["kubernetes:admin"]}.

2. Setup Kubernetes API Server

Setup the Kubernetes API Server accepts an OIDC ID token.

If you are using kops, kops edit cluster and append the following spec:

spec:
  kubeAPIServer:
    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
    oidcClientID: kubernetes
    oidcGroupsClaim: groups

3. Install the charts

This repository has helmfile.yaml for the following charts:

Install Helmfile and run it:

export KUBE_DASHBOARD_DOMAIN=kubernetes-dashboard.example.com
export KUBE_OIDC_DISCOVERY_URL=https://keycloak.example.com/auth/realms/YOUR_REALM
export KUBE_OIDC_CLIENT_ID=kubernetes
export KUBE_OIDC_CLIENT_SECRET=YOUR_SECRET

helmfile sync

4. Assign a role

Open https://kubernetes-dashboard.example.com.

At this time, an Unauthorized error may appear on the dashboard because you have no role. Here assign the cluster-admin role to the current group.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: keycloak-admin-group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # NOTE: This is a super administrator and can do everything.
  # Consider a dedicated role in your actual operation.
  name: cluster-admin
subjects:
- kind: Group
  name: kubernetes:admin

Now all objects should appear in the dashboard.

Getting Started with Google Account

1. Setup Google API

Open Google APIs Console and create an OAuth client as follows:

  • Application Type: Web application
  • Redirect URL: https://kubernetes-dashboard.example.com/oauth/callback

2. Setup Kubernetes API Server

Setup the Kubernetes API Server accepts an OIDC ID token.

If you are using kops, kops edit cluster and append the following settings:

spec:
  kubeAPIServer:
    oidcIssuerURL: https://accounts.google.com
    oidcClientID: xxx-xxx.apps.googleusercontent.com

3. Install the charts

This repository has helmfile.yaml for the following charts:

Install Helmfile and run it:

export KUBE_OIDC_DISCOVERY_URL=https://accounts.google.com
export KUBE_OIDC_CLIENT_ID=xxx-xxx.apps.googleusercontent.com
export KUBE_OIDC_CLIENT_SECRET=Mx3xL96Ixn7j4ddWOCH1l8VkB6fiXDBW

helmfile sync

4. Assign a role

Open https://kubernetes-dashboard.example.com.

At this time, an Unauthorized error may appear on the dashboard because you have no role. Here assign the cluster-admin role to yourself.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: keycloak-admin-group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # NOTE: This is a super administrator and can do everything.
  # Consider a dedicated role in your actual operation.
  name: cluster-admin
subjects:
- kind: User
  name: https://accounts.google.com#1234567890

Now all objects should appear in the dashboard.

Configuration

You can set the following values for the Kubernetes Dashboard Proxy.

Parameter Description Default
proxy.oidc.discoveryURL Discovery URL. (mandatory)
proxy.oidc.clientID Client ID. (mandatory)
proxy.oidc.clientSecret Client secret. (mandatory)
proxy.oidc.redirectURL Redirect URL. This may be same to the external URL in most cases. (mandatory)
proxy.oidc.scopes List of scopes requested when authenticating the user. (optional) string
proxy.cookieEncryptionKey Encryption key to store a session to a browser cookie. This should be 16 or 32 bytes string. 32 bytes random string
proxy.upstreamURL Kubernetes Dashboard service URL. https://kubernetes-dashboard.kube-system.svc.cluster.local.
proxy.enableAuthorizationHeader Add the authorization header to the proxy request. true
proxy.enableAuthorizationCookies Add the authorization cookies to the uptream proxy request. false
ingress.enabled Enable ingress controller resource. false
ingress.hosts Hostnames []
resources.limits Pod resource limits. {}
resources.requests Pod resource requests. {}

See also kubernetes-dashboard-proxy.yaml.

nginx ingress controller

If you are using nginx-ingress, make sure proxy_buffer_size option is larger than 4kB. You can set it in the ConfigMap of nginx-ingress.

    proxy-buffer-size: "64k"

Special thanks

This depends on gambol99/keycloak-proxy. Thank you for the great work.

Contributions

This is an open source software licensed under Apache License 2.0. Feel free to open issues or pull requests.

kubernetes-dashboard-proxy's People

Contributors

davidkarlsen avatar gumdelli avatar int128 avatar legal90 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

ljakimczuk davidkarlsen legal90 xmlking bywin007 gumdelli olegevtushenko

kubernetes-dashboard-proxy's Issues

"error": "authentication session not found"

Hi ! I did installation from the README and also from there a couple of time and it's never work. The only thing i've change is adding kubernetes.io/ingress.class: nginx and kubernetes.io/tls-acme: "true" to annotations of dashboard-kubernetes-proxy for resolving the domain.
The login keycloak appear but when I login I got error 502 Bad Gateway from my browser.

If I look into the pods logs of the proxy I got;

info	starting the service	{"prog": "keycloak-proxy", "author": "Rohith", "version": "v2.2.2 (git+sha: ff204ed, built: 03-07-2018)"}
info	attempting to retrieve configuration discovery url	{"url": "https://keycloak.xxx.com/auth/realms/master", "timeout": "30s"}
info	successfully retrieved openid configuration from the discovery
info	enabled reverse proxy mode, upstream url	{"url": "https://kubernetes-dashboard.kube-system.svc.cluster.local"}
info	using session cookies only for access and refresh tokens
info	protecting resource	{"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
info	keycloak proxy service starting	{"interface": "0.0.0.0:3000"}
error	no session found in request, redirecting for authorization	{"error": "authentication session not found"}
info	issuing access token for user	{"email": "xxx@xxx", "expires": "2018-08-09T18:00:10Z", "duration": "59.296666348s"}
error	no session found in request, redirecting for authorization	{"error": "authentication session not found"}

Any idea of what's wrong ?

traefik ingress authentication with keycloak gatekeeper on EKS, error: no session found in request

HI All,

I am setting up traefik ingress with keycloak gatekeeper authentication for kibana app on EKS. I have deployed keycloak gatekeeper as below:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: keycloak-gatekeeper
  name: keycloak-gatekeeper
  namespace: pulse
spec:
  selector:
    matchLabels:
      component: keycloak-gatekeeper
  replicas: 1
  template:
    metadata:
      labels:
        component: keycloak-gatekeeper
    spec:
      containers:
        - image: keycloak/keycloak-gatekeeper
          imagePullPolicy: Always
          name: keycloak-gatekeeper
          ports:
            - containerPort: 3000
          args:
            - --discovery-url=http://keycloak:8080/auth/realms/realm1 #keycloak is clusterip service over keycloak deployment
            - --secure-cookie=false
            - --enable-default-deny=true
            - --client-id=Vista
            - --client-secret=2f1aa7dd-2aa9-4fd0-956c-5c45b2bf2091
            - --listen=0.0.0.0:3000 # listen on port 3000 on all interfaces
            - --redirection-url=http://127.0.0.1:3000
            - --upstream-url=http://127.0.0.1:5601
            - --enable-logging=true
            - --enable-json-logging=true
            - --verbose=true
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak-gatekeeper
  namespace: pulse
  labels:
    component: keycloak-gatekeeper
spec:
  ports:
  - port: 3000
    name: http
  selector:
    component: keycloak-gatekeeper

I have traefik ingress as below:

#ingress routes for https
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: pulseingressroutetls
  namespace: pulse
spec:
  entryPoints:
    - websecure
  routes:
  - match: PathPrefix(`/kibana`)
    kind: Rule
    services:
    - name: keycloak-gatekeeper
      port: 3000
    middlewares:
      - name: stripprefix
  tls:
    secretName: pulsetlssecret
---
#strip prefix
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: pulse
spec:
  stripPrefix:
    prefixes:
      - /kibana

My traefik ingress is exposed as ELB service.
Now, whenever i browse to https://elb_host/kibana, it just redirects it https://elb_host/ouath/authorize?state=<..> and throws 404.
I expect it to first redirect to keycloak auth url (https://elb_host/auth/realms/realm1?..) for authentication.
I also in gatekeeper logs that it successfully fetches the oidc configurations. But after I hit above url following error occurs in gatekeeper logs:

{"level":"error","ts":1584946244.340905,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1584946244.340992,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client

Fule gatekeeper logs:

{"level":"info","ts":1584946156.4244683,"caller":"keycloak-gatekeeper/server.go:84","msg":"starting the service","prog":"keycloak-gatekeeper","author":"Keycloak","version":"7.0.0 (git+sha: f66e137, built: 03-09-2019)"}
{"level":"info","ts":1584946156.424621,"caller":"keycloak-gatekeeper/server.go:686","msg":"attempting to retrieve configuration discovery url","url":"http://keycloak:8080/auth/realms/Cadence","timeout":"30s"}
{"level":"info","ts":1584946156.4340553,"caller":"keycloak-gatekeeper/server.go:702","msg":"successfully retrieved openid configuration from the discovery"}
{"level":"info","ts":1584946156.4362457,"caller":"keycloak-gatekeeper/server.go:157","msg":"enabled reverse proxy mode, upstream url","url":"http://127.0.0.1:5601"}
{"level":"info","ts":1584946156.4363396,"caller":"keycloak-gatekeeper/server.go:228","msg":"using session cookies only for access and refresh tokens"}
{"level":"info","ts":1584946156.436363,"caller":"keycloak-gatekeeper/server.go:255","msg":"adding a default denial into the protected resources"}
{"level":"info","ts":1584946156.4363763,"caller":"keycloak-gatekeeper/server.go:260","msg":"protecting resource","resource":"uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
{"level":"info","ts":1584946156.4368074,"caller":"keycloak-gatekeeper/server.go:384","msg":"keycloak proxy service starting","interface":"0.0.0.0:3000"}
{"level":"error","ts":1584946244.340905,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1584946244.340992,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.000136814,"status":307,"bytes":95,"client_ip":"10.8.29.183:54714","method":"GET","path":"/"}
{"level":"error","ts":1584947395.6576178,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1584947395.657689,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.000107069,"status":307,"bytes":95,"client_ip":"10.8.29.183:33002","method":"GET","path":"/"}

Please help what am I doing wrong here?

Unable to connect keycloak x509: certificate signed by unknown authority

OIDC issuer URL - throwing error as x509: certificate signed by unknown authority ,
Container shut down into CrashLoopBack state

1.5878367354726114e+09	info	attempting to retrieve configuration discovery url	{"url": "https://sso.example.com/auth/realms/production", "timeout": "30s"}
1.587836735495971e+09	warn	failed to get provider configuration from discovery	{"error": "Get https://sso.example.com/auth/realms/production/.well-known/openid-configuration: x509: certificate signed by unknown authority"}

Might be  **--oidc-ca-file=/etc/kubernetes/ssl/sso.pem** option needed

Default dashboard URL has changed.

Hi, We have been using this proxy for a while but just recently the default namespace for the dashboard has changed from kube-system to kubernetes-dashboard so we had to override the proxys default upstream address to find the dashboard.

We were seeing the following error.
dial tcp: lookup kubernetes-dashboard.kube-system.svc.cluster.local on 10.3.0.10:53: no such host

Just add a "upstreamURL" line to override the default upstream url as shown below.

proxy:
oidc:
redirectURL: https://your_redirect_url/
discoveryURL: https://your_discovery_url
clientID: your_client_id
clientSecret: top_secret_secret!!
upstreamURL: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.