Skip to main content

Securing Kubernetes Dashboard

The following guide covers how to secure Kubernetes Dashboard using Pomerium. Kubernetes Dashboard is a powerful, web-based UI for managing Kubernetes clusters. Pomerium can act as an independent identity-aware access proxy improving and adding single-sign-on to Kubernetes Dashboard's default access control. This is in contrast to most deployments, which use static tokens for access.

fresh kubernetes dashboard install

This tutorial covers:

Before You Begin

This guide builds off of existing articles and guides. It assumes you have deployed Pomerium to your cluster using our Helm charts, configured a certificate solution like cert-manager, and set up secure access to the Kubernetes API. Follow the instructions in these pages before you continue:

Background

Though securing Kubernetes Dashboard as an example may seem contrived, the damages caused by an unsecured dashboard is a real threat vector. In late 2018, Tesla determined that the hackers who were running crypto-mining malware on their cloud accounts came in through an unsecured Kubernetes Dashboard instance.

tesla hacked from kubernetes dashboard

Install Kubernetes Dashboard

Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.

Use Helm to install a new instance of Kubernetes Dashboard :

helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard\
  --set ingress.enabled="false"

That's it. We've now configured the Kubernetes Dashboard in our cluster. We've also explicitly told Helm that we are going to deploy our own custom access to the service through Pomerium instead of a standard ingress.

Add a Route

Following the configuration defined in Install Pomerium using Helm, add a route for the Kubernetes Dashboard.

  1. Modify pomerium-values.yaml with the following route:

    pomerium-values.yaml
        - from: https://dashboard.localhost.pomerium.io
          to: https://kubernetes-dashboard.default.svc.cluster.local
          allow_spdy: true
          tls_skip_verify: true
          kubernetes_service_account_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
          policy:
            - allow:
                or:
                  - domain:
                      is: pomerium.com

    The service account token used for kubernetes_service_account_token_file is defined by our helm chart. Modify the policy to match your configuration.

  2. Access to the dashboard for a user is authorized by the cluster role binding defined in role-based access control (RBAC) permissions. Following the User Permissions section of Securing Kubernetes, you should already have permissions for your user, or you can create a new RBAC definition following this example:

    rbac-someuser.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: cluster-admin-crb
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: someuser@example.com

    Apply the permissions with kubectl apply -f rbac-someuser.yaml.

  3. Apply the new route to Pomerium with Helm:

    helm upgrade --install pomerium pomerium/pomerium --values pomerium-values.yaml

Conclusion

Because we've defined RBAC for our users, they can authenticate with Pomerium and Kubernetes will recognize that user in the Dashboard:

🎉🍾🎊 Congratulations! 🎉🍾🎊 You now have a single-sign-on enabled Kubernetes Dashboard protected by Pomerium.