The following guide covers how to secure Kubernetes Dashboard using Pomerium. Kubernetes Dashboard is a powerful, web-based UI for managing Kubernetes clusters. Pomerium can act as an independent identity-aware access proxy improving and adding single-sign-on to Kubernetes Dashboard's default access control. This is in contrast to most deployments, which use static tokens for access.
This tutorial covers:
- Deploying Kubernetes Dashboard using Helm
- Establishing secure Kubernetes Dashboard access through Pomerium
Before You Begin
This guide builds off of existing articles and guides. It assumes you have deployed Pomerium to your cluster using our Helm charts, configured a certificate solution like cert-manager, and set up secure access to the Kubernetes API. Follow the instructions in these pages before you continue:
Though securing Kubernetes Dashboard as an example may seem contrived, the damages caused by an unsecured dashboard is a real threat vector. In late 2018, Tesla determined that the hackers who were running crypto-mining malware on their cloud accounts came in through an unsecured Kubernetes Dashboard instance.
Install Kubernetes Dashboard
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard\
That's it. We've now configured the Kubernetes Dashboard in our cluster. We've also explicitly told Helm that we are going to deploy our own custom access to the service through Pomerium instead of a standard ingress.
Add a Route
Following the configuration defined in Install Pomerium using Helm, add a route for the Kubernetes Dashboard.
pomerium-values.yamlwith the following route:pomerium-values.yaml
- from: https://dashboard.localhost.pomerium.io
The service account token used for
kubernetes_service_account_token_fileis defined by our helm chart. Modify the policy to match your configuration.
Access to the dashboard for a user is authorized by the cluster role binding defined in role-based access control (RBAC) permissions. Following the User Permissions section of Securing Kubernetes, you should already have permissions for your user, or you can create a new RBAC definition following this example:rbac-someuser.yaml
- apiGroup: rbac.authorization.k8s.io
Apply the permissions with
kubectl apply -f rbac-someuser.yaml.
Apply the new route to Pomerium with Helm:
helm upgrade --install pomerium pomerium/pomerium --values pomerium-values.yaml
Because we've defined RBAC for our users, they can authenticate with Pomerium and Kubernetes will recognize that user in the Dashboard:
🎉🍾🎊 Congratulations! 🎉🍾🎊 You now have a single-sign-on enabled Kubernetes Dashboard protected by Pomerium.