Add RBAC to binding Dahsboard UI

7 years ago · b974b144a8
2 changed files with 52 additions and 0 deletions
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@ -42,6 +42,8 @@ netchecker_server_memory_requests: 64M
 dashboard_enabled: true
 dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
 dashboard_image_tag: v1.8.0
+dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
+dashboard_init_image_tag: v1.0.1

 # Limits for dashboard
 dashboard_cpu_limit: 100m
@ -53,6 +55,13 @@ dashboard_memory_requests: 64M
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"

+# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
+# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
+dashboard_use_custom_certs: false
+dashboard_certs_secret_name: kubernetes-dashboard-certs
+dashboard_tls_key_file: dashboard.key
+dashboard_tls_cert_file: dashboard.crt
+
 rbac_resources:
  - sa
  - clusterrole
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@ -91,6 +91,34 @@ subjects:
  name: kubernetes-dashboard
  namespace: {{ system_namespace }}

+---
+# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
+# Allows users to reach login page and other proxied dashboard URLs
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-dashboard-anonymous
+rules:
+- apiGroups: [""]
+  resources: ["services/proxy"]
+  resourceNames: ["https:kubernetes-dashboard:"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard-anonymous
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-dashboard-anonymous
+subjects:
+- kind: User
+  name: system:anonymous
+
 ---
 # ------------------- Dashboard Deployment ------------------- #

@ -112,6 +140,14 @@ spec:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
+{% if not dashboard_use_custom_certs %}
+      initContainers:
+      - name: kubernetes-dashboard-init
+        image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
+        volumeMounts:
+        - name: kubernetes-dashboard-certs
+          mountPath: /certs
+{% endif %}
      containers:
      - name: kubernetes-dashboard
        image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
@ -127,7 +163,14 @@ spec:
        - containerPort: 8443
          protocol: TCP
        args:
+{% if not dashboard_use_custom_certs %}
+          - --tls-key-file=/certs/{{ dashboard_tls_key_file }}
+          - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }}
+          - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
+{% else %}
          - --auto-generate-certificates
+{% endif %}
+{% endif %}
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.