How to configure Basic Authentication Configuration In kubernetes Dashbaord .I have done below steps
--authentication-mode=basic added in kubernetes dashboard deployment yaml.
Done API server to be configured (inside /etc/kubernetes/manifests/kube-apiserver.yaml" with authorization mode ABAC and --basic-auth-file given to a file and that file contain like "userpass,username,uid"
But still unable to get the result . Whatever I wrote (even random letter) in the username and password field it able to login into the dashboard and no resources access after that.
one way to achieve is by fronting the dashboard service with a traefik ingress controller. set basic auth in traefik deployment file. create ingress rule for dashboard service
you can also use nginx ingress controller.
below link would be helpful
https://github.com/kubernetes-retired/contrib/tree/master/ingress/controllers/nginx/examples/auth
Related
I am newbie to K8s and still testing things. I have got prometheus running outside my cluster. I am using admin creds to hit kube api server to get metrics in to my prometheus which at the moment is working fine.
I want to create another user only to scrape metrics. While searching, i could not find any documentation on creating a user with user id and password.
Also, we are managing our repo in gitlab with pipeline. Is it possible to create user using yaml config instead of kubectl as given in the documentation.
Thanks
Eswar
According to Prometheus docs:
Prometheus does not directly support basic authentication (aka "basic auth") for connections to the Prometheus expression browser and HTTP API. If you'd like to enforce basic auth for those connections, we recommend using Prometheus in conjunction with a reverse proxy and applying authentication at the proxy layer.
In the link above there is a step-by-step guide in how to set up a nginx reverse proxy in front of Prometheus.
I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.
I have KeyCloak Gateway running successfully locally providing Google OIDC authentication for the Kubernetes dashboard. However using the same settings results in an error when the app is deployed as a pod in the cluster itself.
The error I see when the Gateway is running in a K8S pod is:
unable to exchange code for access token {"error": "invalid_request: Credentials in post body and basic Authorization header do not match"}
I'm calling the gateway with the following options:
--enable-logging=true
--enable-self-signed-tls=true
--listen=:443
--upstream-url=https://mydashboard
--discovery-url=https://accounts.google.com
--client-id=<client id goes here>
--client-secret=<secret goes here>
--resources=uri=/*
With these settings applied to a container in a pod I can browse to the Gateway, am redirected to Google to log in, and then am redirected back to the Gateway where the error above is generated.
What could account for the difference between running the application locally and running it in a pod that would generate the above error?
This turned out to be a copy/paste fail in the end, with the client secret being incorrect. The error message wasn't much help here, but at least it was a simple fix.
Is it possible to view Service Accounts via the Kubernetes Dashboard?
I can see a token that was created for the Service Account under Secrets but struggling to actually find the Service Account listed anywhere.
There is no way to list all Service Acccounts under specific submenu in Kubernetes Dashboard but you can view owner Service Account of Secrets by clicking on them under Details/Annotations: section as kubernetes.io/service-account.name: <service-account-name>
For additional information, you can visit below links:
Web UI (Dashboard).
And also for github project https://github.com/kubernetes/dashboard/
Hope it will be useful for you
I know it's possible to access the static views of the api, but I can't find out the basic auth details that I need to login via the browser. Where can I find these? I'm on GCE and created a cluster.
Run kubectl config view. It'll dump out the auth information used to access your cluster, including the basic auth username and password.