Task weight: 3%
Use context: kubectl config use-context workload-prod
The Kubernetes Dashboard is installed in Namespace kubernetes-dashboard and is configured to:
- Allow users to "skip login"
- Allow insecure access (HTTP without authentication)
- Allow basic authentication
- Allow access from outside the cluster
You are asked to make it more secure by:
- Deny users to "skip login"
- Deny insecure access, enforce HTTPS (self signed certificates are ok for now)
- Add the --auto-generate-certificates argument
- Enforce authentication using a token (with possibility to use RBAC)
- Allow only cluster internal access
译文
任务权重:3%。
使用环境: kubectl config use-context workload-prod
Kubernetes Dashboard 安装在命名空间 kubernetes-dashboard 中,并被配置为。
- 允许用户 "跳过登录"。
- 允许不安全的访问(无认证的HTTP)。
- 允许基本认证
- 允许从集群外访问
要求你通过以下方式使其更加安全。
- 拒绝用户 "跳过登录"。
- 拒绝不安全的访问,强制执行HTTPS(自签名的证书目前还可以)。
- 添加--自动生成证书的参数
- 使用令牌强制认证(可以使用RBAC)。
- 只允许集群内部访问
解答
检查 命名空间 kubernetes-dashboard
k -n kubernetes-dashboard get pod,svc
k get node -o wide
修复: 备份 deploy 配置 后 进行编辑
k -n kubernetes-dashboard get deploy kubernetes-dashboard -oyaml > 8_deploy_kubernetes-dashboard.yaml
k -n kubernetes-dashboard edit deploy kubernetes-dashboard
template:
spec:
containers:
- args:
- --namespace=kubernetes-dashboard
- --authentication-mode=token # 删除或设置为token
- --auto-generate-certificates # 添加
#- --enable-skip-login=true # 删除或设置为false
#- --enable-insecure-login # 删除
image: kubernetesui/dashboard:v2.0.3
imagePullPolicy: Always
name: kubernetes-dashboard
备份 svc配置 后编辑
k -n kubernetes-dashboard get svc kubernetes-dashboard -o yaml > 8_svc_kubernetes-dashboard.yaml
k -n kubernetes-dashboard edit svc kubernetes-dashboard
spec:
clusterIP: 10.107.176.19
externalTrafficPolicy: Cluster # delete
internalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 32513 # delete
port: 9090
protocol: TCP
targetPort: 9090
- name: https
nodePort: 32441 # delete
port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP # change or delete
status:
loadBalancer: {}
验证: 新建一个容器进行模拟访问, curl -k 是忽略证书
k run tmp --image=nginx:1.19.2 --restart=Never --rm -it -- bash
curl https://kubernetes-dashboard.kubernetes-dashboard
curl -k https://kubernetes-dashboard.kubernetes-dashboard