I have deployed my keycloak application to kubernetes. And using external ip from kubernetes service i am able to access the application. But when i click administration console. It shows Https required. How to access the master realm?
Related
I'm following this documentation for deploying Kubernetes Dashboard: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
Question # 1:
The instructions are only available to run the dashboard locally. Is there any tutorial to deploy it in Cloud (Azure, AWS)? If not, do we have to manually expose a load balancer / ingress in front of the dashboard service?
Question # 2:
The instructions mentions to run kubectl proxy in order to enable access to dashboard. If deploying to cloud, do we need to run that as a process in the background?
Regarding question 1,
You can deploy this dashboard to a cloud of course, for AWS you could set up eks or ec2 instance and deploy you application or this dashboard directly.
You will need to set up a service, NodePort or Load balancer. Using you VM IP as IP and NodePort as the port exposes for the outside world, or if you decide to create a load balancer, use the endpoint of the service kubectl get endpoints -n <service_namespace> and load balancer port.
For question 2 I'm not sure about proxy, maybe my answers for question 1 is enough. But documentation knows better.
I have created EKS cluster in that cluster created 2 nodes & deployed few microservices on cluster IP.
As cluster IP is only internally accessible so wanted to configure it with AWS API gateway using ELB.
When you create an ingress in kubernetes, it automatically creates a load balancer for the ingress.
If you are using route 53 as your dns manager then after you have created an ingress you can add an A record to point to the newly created Application Load Balancer.
Please refer to the AWS document here to create ingress controllers:
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
One solution to the problem is to change the service to a Private NLB using the load balancer controller and then link this nlb to api gateway via VPC link
Further process and documentation for the process can be found here
We have a Kubernetes dashboard created in the kube-system namespace in AWS EKS. We are allowing the accesss to the Kubernetes dashboard by allowing the IP on the inbound rule of the Kubernetes Dashboard ALB security group. Is there a way we can integrate active directory or AWS IAM users authenticate to the Kubernetes dashboard instead of IP based access?
Yes, we are integrating AD for K8S dashboard. You have to configure DEX as an OIDC provider and use the connecter as LDAP.
Below are link which can guide you
Dex.
https://github.com/dexidp/dex
What is dex?
https://thenewstack.io/kubernetes-single-sign-one-less-identity/
Guide to configure
https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/
When I run kubectl cluster-info in AKS I get this:
kubernetes-dashboard is running at https://clusterUrl/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy
This url is reachable in browser, but only returns 401.
I am wondering if it is possible to log in to Azure in some way so that this url is accessible? Would be quite convenient to access it directly.
using kubectl proxy, you can access the dashboard
[root#ae740dbd82bf /]# kubectl proxy
Starting to serve on 127.0.0.1:8001
open your browser and navigate to
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
If you want to access it externally then you have two choices
define service port as NodePort. Then you would be able to access dashboard on any CLUSTER_HOST:NODEPORT
Deploy an ingress controller and define a rule between the dashboard dns and the dashboard kubernetes service
So the idea is Kubernetes dashboard accesses Kubernetes API to give us beautiful visualizations of different 'kinds' running in the Kubernetes cluster and the method by which we access the Kubernetes dashboard is by the proxy mechanism of the Kubernetes API which can then be exposed to a public host for public access.
My question would be is there any possibility that we can access Kubernetes API proxy mechanism for some other service inside a Kubernetes cluster via that publically exposed address of Kubernetes Dashboard?
Sure you can. So after you set up your proxy with kubectl proxy, you can access the services with this format:
http://localhost:8001/api/v1/namespaces/kube-system/services/<service-name>:<port-name>/proxy/
For example for http-svc and port name http:
http://localhost:8001/api/v1/namespaces/default/services/http-svc:http/proxy/
Note: it's not necessarily for public access, but rather a proxy for you to connect from your public machine (say your laptop) to a private Kubernetes cluster.
You can do it by changing your service to NodePort:
$ kubectl -n kube-system edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
Note: This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. Certificates used by kubeconfig file to contact API Server can be used.
Please check the following articles and URLs for better understanding:
Stackoverflow thread
Accessing Dashboard 1.7.X and above
Deploying a publicly accessible Kubernetes Dashboard
How to access kubernetes dashboard from outside cluster
Hope it will help you!
Exposing Kubernetes Dashboard not secure at all , but your answer is about K8s API Server that need to be accessible by external services.
The right answer differs according your platform and infrastructure , but as general points
[Network Security] Limit IP public reachability to K8s API Servers(s) / Load balancer if exist as a white list mechanism
[Network Security] Private-to-Private reachability is better like vpn or AWS PrivateLink
[ API Security ] Limit Privileges by clusterrole/role to enforce RBAC , better to keep it ReadOnly verbs { Get , List }
[ API Security ] enable audit logging for k8s components to keep track of events and actions