Help

Vars editor

Variables in articles are noted {{myVar}}

Legend

A link to a page of this blog
A link to a section of this page
A link to a template of this guide. Templates are files in which you should replace your variables
A variable
A link to an external tool documentation
This page looks best with JavaScript enabled

Protect monitoring with authentication

 ·  via commit 1c91ff1 (chore: change shortcodes format (HTML tag like)) by Gerkin  ·  ☕ 2 min read
What's on this Page

Now that we have our authentication service up and running, we can protect our dashboards installed in the step  06 - Monitoring: See what is going on using our Keycloak OpenID Connect provider. Here is a diagram on how authorization will be managed:

Authorization graph

Traefik dashboard

TODO

Kibana

TODO

Kube dashboard

Again, we are going to set up a new instance of  louketo-proxy.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74


apiVersion: apps/v1
kind: Deployment
metadata:
  name: gatekeeper
  namespace: kubernetes-dashboard
  labels: 
    app: kubernetes-dashboard
    component: gatekeeper
spec:
  replicas: 1
  selector:
    matchLabels: 
      app: kubernetes-dashboard
      component: gatekeeper
  template:
    metadata:
      labels: 
        app: kubernetes-dashboard
        component: gatekeeper
    spec:
      containers:
        - name: keycloak-gatekeeper
          image: "quay.io/gogatekeeper/gatekeeper:1.2.0"
          imagePullPolicy: IfNotPresent
          args:
            - --listen=0.0.0.0:3000
            - --discovery-url=https://kube-keycloak.{{cluster.baseHostName}}/auth/realms/{{apiServer.realm}}
            - --client-id={{apiServer.clientId}}
            - --client-secret={{apiServer.clientSecret}}
            - --upstream-url=http://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local:80
            - --redirection-url=https://kube-dashboard.bar.com/
            - --skip-openid-provider-tls-verify=true
            - --enable-default-deny=true
            - --enable-logging=true
            - --enable-refresh-tokens=true
            - --enable-session-cookies=true
            - --encryption-key={{random32charsString}}
            - --secure-cookie=true
            - --resources=uri=/*
          ports:
            - name: http
              containerPort: 3000
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /oauth/health
              port: 3000
            initialDelaySeconds: 3
            timeoutSeconds: 2
          readinessProbe:
            httpGet:
              path: /oauth/health
              port: 3000
            initialDelaySeconds: 3
            timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper
  namespace: kubernetes-dashboard
  labels:
      app: kubernetes-dashboard
      component: gatekeeper
spec:
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: kubernetes-dashboard
    component: gatekeeper

Finally, modify your ingress route

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroute-dashboard
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kube-dashboard.{{cluster.baseHostName}}`)
    kind: Rule
    services:
    - name: gatekeeper
      namespace: kubernetes-dashboard
      kind: Service
      port: 80
  tls:
    certResolver: myresolver

Hey, we’ve done important things here ! Maybe it’s time to commit…

1
2
3
4

git add .
git commit -m "Protect monitoring with authentication

Following guide @ https://gerkindev.github.io/devblog/walkthroughs/kubernetes/09-safe-monitoring/"
Share on
GerkinDev
WRITTEN BY
GerkinDev
Fullstack developer, on its journey to DevOps.

See Also

 
What's on this Page