Skip to content

Commit

Permalink
[stable/kubernetes-dashboard] Harden Kubernetes Dashboard security se…
Browse files Browse the repository at this point in the history 
…tup to protect whole cluster (helm#3935)

* Updated helm chart for Kubernetes Dashboard to harden cluster security

* Fixed typo

* Modified to be in line with RBAC guidlines

* Add link to guide

* Fixed typo
  • Loading branch information
@Eddman @k8s-ci-robot
Eddman authored and k8s-ci-robot committed Mar 2, 2018
1 parent 2da0250 commit 61a6aed
Show file tree
Hide file tree
Showing 12 changed files with 211 additions and 50 deletions.
4 changes: 2 additions & 2 deletions stable/kubernetes-dashboard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: kubernetes-dashboard
version: 0.5.3
appVersion: 1.8.1
version: 0.6.0
appVersion: 1.8.3
description: General-purpose web UI for Kubernetes clusters
keywords:
- kubernetes
Expand Down
44 changes: 26 additions & 18 deletions stable/kubernetes-dashboard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,26 +33,34 @@ $ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

## Access control
It is critical for the Kubernetes custer to correctly setup access control of Kubernetes Dashboard. See this [guide](https://github.com/kubernetes/dashboard/wiki/Access-control) for best practises.

It is highly recommended to use RBAC with minimal privileges needed for Dashboard to run.

## Configuration

The following tables lists the configurable parameters of the kubernetes-dashboard chart and their default values.

| Parameter | Description | Default |
|------------------------|------------------------------------|--------------------------------------------------------------------------|
| `image.repository` | Repository for container image | `gcr.io/google_containers/kubernetes-dashboard-amd64` |
| `image.tag` | Image tag | `v1.8.1` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `extraArgs` | Additional container arguments | `[]` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `service.externalPort` | Dashboard internal port | 80 |
| `service.internalPort` | Dashboard external port | 80 |
| `ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.hosts` | Dashboard Hostnames | `nil` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| `resources` | Pod resource requests & limits | `limits: {cpu: 100m, memory: 50Mi}, requests: {cpu: 100m, memory: 50Mi}` |
| `rbac.create` | Create & use RBAC resources | `false` |
| `rbac.serviceAccountName` | ServiceAccount kubernetes-dashboard will use (ignored if rbac.create=true) | `default` |
The following table lists the configurable parameters of the kubernetes-dashboard chart and their default values.

| Parameter | Description | Default |
|---------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|
| `image.repository` | Repository for container image | `k8s.gcr.io/kubernetes-dashboard-amd64` |
| `image.tag` | Image tag | `v1.8.3` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `extraArgs` | Additional container arguments | `[]` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
| `service.externalPort` | Dashboard internal port | 443 |
| `service.internalPort` | Dashboard external port | 443 |
| `ingress.annotations` | Specify ingress class | `kubernetes.io/ingress.class: nginx` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.hosts` | Dashboard Hostnames | `nil` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| `resources` | Pod resource requests & limits | `limits: {cpu: 100m, memory: 50Mi}, requests: {cpu: 100m, memory: 50Mi}` |
| `rbac.create` | Create & use RBAC resources | `true` |
| `rbac.clusterAdminRole` | "cluster-admin" ClusterRole will be used for dashboard ServiceAccount ([NOT RECOMMENDED](#access-control)) | `false` |
| `serviceAccount.create` | Whether a new service account name that the agent will use should be created. | `true` |
| `serviceAccount.name` | Service account to be used. If not set and serviceAccount.create is `true` a name is generated using the fullname template. | |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

Expand Down
8 changes: 4 additions & 4 deletions stable/kubernetes-dashboard/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@
{{- if .Values.ingress.enabled }}
From outside the cluster, the server URL(s) are:
{{- range .Values.ingress.hosts }}
http://{{ . }}
https://{{ . }}
{{- end }}

{{- else if contains "NodePort" .Values.service.type }}

Get the Kubernetes Dashboard URL by running:
export NODE_PORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kubernetes-dashboard.fullname" . }})
export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT/
echo https://$NODE_IP:$NODE_PORT/

{{- else if contains "LoadBalancer" .Values.service.type }}

Expand All @@ -22,11 +22,11 @@ Get the Kubernetes Dashboard URL by running:

Get the Kubernetes Dashboard URL by running:
export SERVICE_IP=$(kubectl get svc {{ template "kubernetes-dashboard.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP/
echo https://$SERVICE_IP/
{{- else if contains "ClusterIP" .Values.service.type }}

Get the Kubernetes Dashboard URL by running:
export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app={{ template "kubernetes-dashboard.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo http://127.0.0.1:9090/
echo https://127.0.0.1:9090/
kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 9090:9090
{{- end }}
18 changes: 18 additions & 0 deletions stable/kubernetes-dashboard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,21 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubernetes-dashboard.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "kubernetes-dashboard.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "kubernetes-dashboard.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
34 changes: 24 additions & 10 deletions stable/kubernetes-dashboard/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: {{ template "kubernetes-dashboard.fullname" . }}
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
chart: {{ template "kubernetes-dashboard.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
kubernetes.io/cluster-service: "true"
Expand All @@ -25,32 +25,46 @@ spec:
release: {{ .Release.Name }}
kubernetes.io/cluster-service: "true"
spec:
serviceAccountName: {{ if .Values.rbac.create }}{{ template "kubernetes-dashboard.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.extraArgs }}
args:
- --auto-generate-certificates
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 10 }}
{{- end }}
ports:
- name: http
containerPort: 9090
- name: https
containerPort: 8443
protocol: TCP
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
failureThreshold: 3
httpGet:
scheme: HTTPS
path: /
port: 9090
scheme: HTTP
port: 8443
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: {{ template "kubernetes-dashboard.fullname" . }}
- name: tmp-volume
emptyDir: {}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
2 changes: 1 addition & 1 deletion stable/kubernetes-dashboard/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
name: {{ template "kubernetes-dashboard.fullname" . }}
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
chart: {{ template "kubernetes-dashboard.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.ingress.annotations }}
Expand Down
72 changes: 72 additions & 0 deletions stable/kubernetes-dashboard/templates/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
{{- if and .Values.rbac.create (not .Values.rbac.clusterAdminRole) }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ template "kubernetes-dashboard.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "kubernetes-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups:
- ""
resources:
- secrets
verbs:
- create

# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create

# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- kubernetes-dashboard-key-holder
- {{ template "kubernetes-dashboard.fullname" . }}
verbs:
- get
- update
- delete

# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- kubernetes-dashboard-settings
verbs:
- get
- update

# Allow Dashboard to get metrics from heapster.
- apiGroups:
- ""
resources:
- services
resourceNames:
- heapster
verbs:
- proxy
- apiGroups:
- ""
resources:
- services/proxy
resourceNames:
- heapster
- "http:heapster:"
- "https:heapster:"
verbs:
- get
{{- end -}}
28 changes: 26 additions & 2 deletions stable/kubernetes-dashboard/templates/rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
{{- if .Values.rbac.create }}

{{- if .Values.rbac.clusterAdminRole }}
# Cluster role binding for clusterAdminRole == true
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
chart: {{ template "kubernetes-dashboard.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "kubernetes-dashboard.fullname" . }}
Expand All @@ -14,6 +17,27 @@ roleRef:
name: cluster-admin
subjects:
- kind: ServiceAccount
name: {{ template "kubernetes-dashboard.fullname" . }}
name: {{ template "kubernetes-dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- else -}}
# Role binding for clusterAdminRole == false
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ template "kubernetes-dashboard.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "kubernetes-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kubernetes-dashboard.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kubernetes-dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
{{- end -}}
11 changes: 11 additions & 0 deletions stable/kubernetes-dashboard/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ template "kubernetes-dashboard.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "kubernetes-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
type: Opaque
7 changes: 4 additions & 3 deletions stable/kubernetes-dashboard/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
{{- if .Values.rbac.create }}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
chart: {{ template "kubernetes-dashboard.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "kubernetes-dashboard.fullname" . }}
name: {{ template "kubernetes-dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
4 changes: 2 additions & 2 deletions stable/kubernetes-dashboard/templates/svc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: {{ template "kubernetes-dashboard.fullname" . }}
labels:
app: {{ template "kubernetes-dashboard.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
chart: {{ template "kubernetes-dashboard.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
kubernetes.io/cluster-service: "true"
Expand All @@ -19,7 +19,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: http
targetPort: https
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
Expand Down
Loading

0 comments on commit 61a6aed

Please sign in to comment.