dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubernetes

Add error dialog when user tries to login with kubectl proxy to some other address (not localhost)

Open Theoooooo opened this issue 8 years ago • 12 comments

Hi, Dashboard is used inside my kubernetes cluster. Everything is working in my cluster and i'm accessing my dashboard with the kubectl proxy command. I want to create new serviceaccount to access my dashboard without grant full access to the kubernetes-dashboard user which is not secure at all.

Steps to reproduce

I create a new service account and grant him full access to the cluster. Whem i'm going to the dashboard login menu, i enter the token of my serviceaccount and click on "Sign In". But nothing happened. And i don't have any error. Soo i supose the token is valid and the UI recognise the token. But the authentification is not going further.

Observed result

I can't login with my token. Nothing happened

I'm stuck for the moment. I will update if i found something.

Theoooooo avatar Nov 15 '17 09:11 Theoooooo

Check https://github.com/kubernetes/dashboard/issues/2540#issuecomment-343066258.

@floreks Are we able to display some kind of dialog here?

maciaszczykm avatar Nov 15 '17 09:11 maciaszczykm

@maciaszczykm How to ? ^^ I'm not a confirmed user in kubernetes

Theoooooo avatar Nov 15 '17 09:11 Theoooooo

@maciaszczykm Ha i found it. Here it is. I try to log 2 times in with my token here. It's a bit messy sorry ^^ (PS : it's a token from the serviceaccount i created) 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 172.16.56.4:41578: {} 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 POST /api/v1/login request from 172.16.56.4:41578: { "kubeConfig": "", "password": "", "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoZW8tYWRtbi10b2tlbi0yZ3o0bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGVvLWFkbW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzNDk1MjdiYi1jOGZhLTExZTctYWYyNC0wMDUwNTY5OTUxOWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0aGVvLWFkbW4ifQ.PCRSH5YXwd0AXAoFLpnQfCNJTvtZqGvuwEa_lRI9pdz8fOse0SzkG4yaUzP51V1MM40zdwMtyMvMag-CgZsu0l0wqxmqBn3_pOzDOx1ksg6FKR3lplimaIqhdoYx7encz6Rog60LqdxJFSuSz2bGKfnL4KzSKDG2J9Wq3M850PNRG9pY4t8t0Iwa6uKTGXBDOK_chGN9zrRx6uEu9ou6NchHV8lRWxDaUs4vbgbPlLgo9zyR8EDYOVl0Knk9hw-OCY0-MgYk8-lY7UJsxEeHS6i6bXgnOa7xZo2VKpl5Y_PkUO3O71B3NZz5lo4_troy4kk-0vaHekCC9XcmusWVIQ", "username": "" } 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 172.16.56.4:41578: {} 2017/11/14 05:13:44 [2017-11-14T05:13:44Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 172.16.56.4:41578: {} 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 POST /api/v1/login request from 172.16.56.4:41578: { "kubeConfig": "", "password": "", "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoZW8tYWRtbi10b2tlbi0yZ3o0bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGVvLWFkbW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzNDk1MjdiYi1jOGZhLTExZTctYWYyNC0wMDUwNTY5OTUxOWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0aGVvLWFkbW4ifQ.PCRSH5YXwd0AXAoFLpnQfCNJTvtZqGvuwEa_lRI9pdz8fOse0SzkG4yaUzP51V1MM40zdwMtyMvMag-CgZsu0l0wqxmqBn3_pOzDOx1ksg6FKR3lplimaIqhdoYx7encz6Rog60LqdxJFSuSz2bGKfnL4KzSKDG2J9Wq3M850PNRG9pY4t8t0Iwa6uKTGXBDOK_chGN9zrRx6uEu9ou6NchHV8lRWxDaUs4vbgbPlLgo9zyR8EDYOVl0Knk9hw-OCY0-MgYk8-lY7UJsxEeHS6i6bXgnOa7xZo2VKpl5Y_PkUO3O71B3NZz5lo4_troy4kk-0vaHekCC9XcmusWVIQ", "username": "" } 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 172.16.56.4:41578: {} 2017/11/14 05:13:45 [2017-11-14T05:13:45Z] Outcoming response to 172.16.56.4:41578 with 200 status code

Theoooooo avatar Nov 15 '17 09:11 Theoooooo

I also grant ClusterRole : cluster-admin to my serviceaccount to access the cluster (it it's the right way to do it ) : ` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: theo-admin labels: k8s-app: theo-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects:

  • kind: ServiceAccount name: theo-admin namespace: default `

Theoooooo avatar Nov 15 '17 09:11 Theoooooo

@maciaszczykm Ok i just read the #2540 (comment). The fact is i can't access my dashboard with https. I got SSL_ERROR_RX_RECORD_TOO_LONG everytime and i don't know how to access my dashboard without a kubectl proxy. My dashboard is a pod inside my master server. I can't expose it on the outside because it's not a service.

I'm just stuck here

Theoooooo avatar Nov 15 '17 10:11 Theoooooo

@floreks Are we able to display some kind of dialog here?

Probably. This code prevents you from logging in.

@Theoooooo Exposing Dashboard publicly using kubectl proxy --address is usually not a good idea. That is why we are blocking this. You can run kubectl proxy and access Dashboard at localhost:8001/... domain.

floreks avatar Nov 15 '17 12:11 floreks

@floreks How can i access this code ? i have no idea :/

Theoooooo avatar Nov 15 '17 13:11 Theoooooo

@Theoooooo You have to expose (using kubectl proxy) and access Dashboard locally (localhost or 127.0.0.1 domain). We will add inform dialog that will explain why this is blocked when user tries to access it not in a secure way.

floreks avatar Nov 16 '17 07:11 floreks

@floreks But can i access this code and modify this value myself ? I don't really want to be on the local computer to connect with serviceaccount tokens. Maybe i need to find an another way with bearen token

Theoooooo avatar Nov 20 '17 08:11 Theoooooo

https://github.com/kubernetes/dashboard/wiki/Getting-started

You can build and deploy your own version of Dashboard. We do not support accessing Dashboard in a non-secure way (via login page).

floreks avatar Nov 20 '17 09:11 floreks

@floreks or could we add one config option for this?

xychu avatar Nov 24 '17 03:11 xychu

I'd rather not do this as it is not secure. Traffic from other device to the device that exposes API using kubectl proxy -address xxx will be unencrypted and easy to hijack. It's a security risk.

We can add dialog to inform user why this is not possible.

floreks avatar Nov 28 '17 10:11 floreks