In my macos I can use below to launch kubernetes dashboard:
# launch k8s dashboard
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended.yaml
# Enable the local access proxy, listening on port 8001 by default
$ kubectl proxy
I have a question about this, why there have $ kubectl proxy command?
whether launch the dashboard, it do not listen a port by default? why should have a proxy?
This command allows the dashboard to call the Kubernetes API Server. It handles locating the API server and authenticating: see https://kubernetes.io/docs/using-kubectl-proxy
Without it, the dashboard will not be able to connect to the API Server since its endpoints is unknown (from dashboard perspective).
If you want to use the API Server endpoint directly, you will have to add an authenticatin token to each requests and you will also have to configure CORS on Kubernetes API Server. See option --cors-allowed-origins https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
Related
I am trying to deploy neo4j in k8, when i try and use port forward, i am able to access the cypher-shell along with neo4j browser in localhost but if I expose my service in k8 and try to access it via bolt(neo4j browser), i am getting an error
ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser...
Any idea how can i access the bolt port via neo4j browser without forwarding port to localhost
I want to connect to my Openshift Origin instance, but via Eclipse. I installed Codeready Studio in Eclipse and logged in the Redhat Openshift extention for Eclipse. However, when I want to set up server adapters and start port forwarding, it shows the following error :
OpenShiftBinaryCapability process exited: error: specifying a root certificates file with the insecure flag is not allowed
*The location for OC is C:\CLI*
Try to change your ~/.kube/config specifies a cluster with insecure-skip-tls-verify: true,
Use following command to set --insecure-skip-tls-verify=true C:\Users\username.kube folder
kubectl config set-cluster clustername --server=https://Openshift IP:8443 --insecure-skip-tls-verify=true
"insecure-skip-tls-verify" allows interaction with an HTTPS server bypassing the server certificate checks; however, note that it is not secure. If you try to oc
login to a HTTPS server that does not provide a valid certificate, and this or the --certificate-authority flags were not provided
This worked for me.
Project:
Deploy a staging API (Symfony) on a Kubernetes cluster on GCloud
With its services (MariaDB, RabbitMQ ...)
issue:
All Pods and Services start correctly
Access to the API from outside
is problematic:
I deploy the API via a LoadBalancer service and the API is accessible but always removes the header "Authorization" which makes the API unusable.
I deploy the API via a Nginx-Ingress, the set of links to the correct air (the Ingress is well linked to the service and the pods of the API), I receive an external IP, but when I access this IP, the site is inaccessible (requests are lost and do not arrive at the servers).
If you are using Apache with CGI/FastCGI, then you might get an error message about missing authorization headers. This is because Apache does not, by default, pass authorization headers to PHP.
The Fix
You need to edit your Apache site configuration to add a line to your vhost config <VirtualHost> directive.
<VirtualHost>
# ...
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
# ...
</VirtualHost>
Following: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-2-use-the-token-option
I want to be able to connect to project / cluster context to our GKE clusters.
Normally, one would use gcloud, and login with a browser, or with a password json file.
Is it possible to authenticate with just a service account token that you can feed into kubectl (without using gcloud)?
I cannot get the above documentation working, doesn't seem to connect me to gcloud as I get:
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Never able to connect outside of a local context.
I'm wondering if this is even possible, to connect to GKE clusters using nothing but a service account token?
Reading the documentation from http://kubernetes.io/docs/admin/kube-proxy/ it doesn't look like I can connect to the apiserver via https.
The same goes for scheduler and controller-manager, but those two maybe are supposed to run on the same machine as the apiserver and can connect via localhost.
But what about the proxy? This is supposed to connect remotely to the apiserver. Is it possible to configure authentication and/or authorization from the proxy to the apiserver?
This is embarrassing. Looks like all daemons support a "--kubeconfig" flag that gives access to public and private key for authorization.