Task weight: 3%

Use context: kubectl config use-context workload-prod

The Kubernetes Dashboard is installed in Namespace kubernetes-dashboard and is configured to:

  1. Allow users to “skip login”
  2. Allow insecure access (HTTP without authentication)
  3. Allow basic authentication
  4. Allow access from outside the cluster

You are asked to make it more secure by:

  1. Deny users to “skip login”
  2. Deny insecure access, enforce HTTPS (self signed certificates are ok for now)
  3. Add the --auto-generate-certificates argument
  4. Enforce authentication using a token (with possibility to use RBAC)
  5. Allow only cluster internal access
译文

任务权重:3%。

使用环境: kubectl config use-context workload-prod

Kubernetes Dashboard 安装在命名空间 kubernetes-dashboard 中,并被配置为。

  1. 允许用户 “跳过登录”。
  2. 允许不安全的访问(无认证的HTTP)。
  3. 允许基本认证
  4. 允许从集群外访问

要求你通过以下方式使其更加安全。

  1. 拒绝用户 “跳过登录”。
  2. 拒绝不安全的访问,强制执行HTTPS(自签名的证书目前还可以)。
  3. 添加–自动生成证书的参数
  4. 使用令牌强制认证(可以使用RBAC)。
  5. 只允许集群内部访问
解答

检查 命名空间 kubernetes-dashboard

k -n kubernetes-dashboard get pod,svc
k get node -o wide

dashboard-sec-0
dashboard-sec-1

修复: 备份 deploy 配置 后 进行编辑

k -n kubernetes-dashboard get deploy kubernetes-dashboard -oyaml > 8_deploy_kubernetes-dashboard.yaml

k -n kubernetes-dashboard edit deploy kubernetes-dashboard
template:
  spec:
    containers:
    - args:
      - --namespace=kubernetes-dashboard  
      - --authentication-mode=token        # 删除或设置为token
      - --auto-generate-certificates       # 添加
      #- --enable-skip-login=true          # 删除或设置为false
      #- --enable-insecure-login           # 删除
      image: kubernetesui/dashboard:v2.0.3
      imagePullPolicy: Always
      name: kubernetes-dashboard

备份 svc配置 后编辑

k -n kubernetes-dashboard get svc kubernetes-dashboard -o yaml > 8_svc_kubernetes-dashboard.yaml

k -n kubernetes-dashboard edit svc kubernetes-dashboard
 spec:
  clusterIP: 10.107.176.19
  externalTrafficPolicy: Cluster   # delete
  internalTrafficPolicy: Cluster
  ports:
  - name: http
    nodePort: 32513                # delete
    port: 9090
    protocol: TCP
    targetPort: 9090
  - name: https
    nodePort: 32441                # delete
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP                  # change or delete
status:
  loadBalancer: {}

验证: 新建一个容器进行模拟访问, curl -k 是忽略证书

dashboard-sec-2 

k run tmp --image=nginx:1.19.2 --restart=Never --rm -it -- bash

curl https://kubernetes-dashboard.kubernetes-dashboard
curl -k https://kubernetes-dashboard.kubernetes-dashboard

dashboard-sec-3