We have a Kubernetes dashboard created in the kube-system namespace in AWS EKS. We are allowing the accesss to the Kubernetes dashboard by allowing the IP on the inbound rule of the Kubernetes Dashboard ALB security group. Is there a way we can integrate active directory or AWS IAM users authenticate to the Kubernetes dashboard instead of IP based access?
Yes, we are integrating AD for K8S dashboard. You have to configure DEX as an OIDC provider and use the connecter as LDAP.
Below are link which can guide you
Dex.
https://github.com/dexidp/dex
What is dex?
https://thenewstack.io/kubernetes-single-sign-one-less-identity/
Guide to configure
https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/
Related
I have deployed my keycloak application to kubernetes. And using external ip from kubernetes service i am able to access the application. But when i click administration console. It shows Https required. How to access the master realm?
I'm integrating the API Gate with EKS, using CDK
Following this architecture as below
I'm using the ALB Controller which provisions a NLB when I deploy an k8s service with type LoadBalancer
The problem is, how can I aware when the NLB will be provisioned, how to get its "object reference" then connect it to a VPC link for API gateway resources to access?
Can you please help for a CDK sample?
I have created EKS cluster in that cluster created 2 nodes & deployed few microservices on cluster IP.
As cluster IP is only internally accessible so wanted to configure it with AWS API gateway using ELB.
When you create an ingress in kubernetes, it automatically creates a load balancer for the ingress.
If you are using route 53 as your dns manager then after you have created an ingress you can add an A record to point to the newly created Application Load Balancer.
Please refer to the AWS document here to create ingress controllers:
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
One solution to the problem is to change the service to a Private NLB using the load balancer controller and then link this nlb to api gateway via VPC link
Further process and documentation for the process can be found here
So the idea is Kubernetes dashboard accesses Kubernetes API to give us beautiful visualizations of different 'kinds' running in the Kubernetes cluster and the method by which we access the Kubernetes dashboard is by the proxy mechanism of the Kubernetes API which can then be exposed to a public host for public access.
My question would be is there any possibility that we can access Kubernetes API proxy mechanism for some other service inside a Kubernetes cluster via that publically exposed address of Kubernetes Dashboard?
Sure you can. So after you set up your proxy with kubectl proxy, you can access the services with this format:
http://localhost:8001/api/v1/namespaces/kube-system/services/<service-name>:<port-name>/proxy/
For example for http-svc and port name http:
http://localhost:8001/api/v1/namespaces/default/services/http-svc:http/proxy/
Note: it's not necessarily for public access, but rather a proxy for you to connect from your public machine (say your laptop) to a private Kubernetes cluster.
You can do it by changing your service to NodePort:
$ kubectl -n kube-system edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
Note: This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. Certificates used by kubeconfig file to contact API Server can be used.
Please check the following articles and URLs for better understanding:
Stackoverflow thread
Accessing Dashboard 1.7.X and above
Deploying a publicly accessible Kubernetes Dashboard
How to access kubernetes dashboard from outside cluster
Hope it will help you!
Exposing Kubernetes Dashboard not secure at all , but your answer is about K8s API Server that need to be accessible by external services.
The right answer differs according your platform and infrastructure , but as general points
[Network Security] Limit IP public reachability to K8s API Servers(s) / Load balancer if exist as a white list mechanism
[Network Security] Private-to-Private reachability is better like vpn or AWS PrivateLink
[ API Security ] Limit Privileges by clusterrole/role to enforce RBAC , better to keep it ReadOnly verbs { Get , List }
[ API Security ] enable audit logging for k8s components to keep track of events and actions
I've read documentation, I've seen exemples, but I don't know why would I add a serviceAccount in my pods ?
The 'elasticsearch' exemple from Kubernetes (https://github.com/kubernetes/kubernetes/tree/master/examples/elasticsearch) has a service account 'elasticsearch', what does it grant ?
Thank you.
The service accounts inject authentication credentials into the pod to talk to the Kubernetes service (e.g. the apiserver).
This is important if you are building an application that needs to inspect the pods/services/controllers that are running in the cluster to have correct behavior. For example, the kube2sky container watches services and endpoints to provide DNS within the cluster by connecting to the Kubernetes service.