addons: Remove Kubernetes Dashboard manifests and docs

* Stop maintaining Kubernetes Dashboard manifests. Dashboard takes
an unusual approch to security and is often a security weak point.
* Recommendation: Use `kubectl` and avoid using the dashboard. If
you must use the dashboard, explore hardening and consider using an
authenticating proxy rather than the dashboard's auth features
This commit is contained in:
Dalton Hubble 2018-02-11 10:19:09 -08:00
parent 2c10d24113
commit 03d23bfde7
6 changed files with 1 additions and 76 deletions

View File

@ -24,6 +24,7 @@ Notable changes between versions.
* Update nginx-ingress from 0.9.0 to 0.10.2 * Update nginx-ingress from 0.9.0 to 0.10.2
* Update CLUO from v0.5.0 to v0.6.0 * Update CLUO from v0.5.0 to v0.6.0
* Switch manifests to use `apps/v1` Deployments and Daemonsets * Switch manifests to use `apps/v1` Deployments and Daemonsets
* Remove Kubernetes Dashboard manifests ([#121](https://github.com/poseidon/typhoon/pull/121))
#### Digital Ocean #### Digital Ocean

View File

@ -1,32 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
name: kubernetes-dashboard
phase: prod
spec:
containers:
- name: kubernetes-dashboard
image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.1
ports:
- name: http
containerPort: 9090
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 100Mi
livenessProbe:
httpGet:
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
spec:
type: ClusterIP
selector:
name: kubernetes-dashboard
phase: prod
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9090

View File

@ -1,27 +0,0 @@
# Kubernetes Dashboard
!!! warning
The Kubernetes Dashboard takes [unusual approaches](https://github.com/kubernetes/dashboard/wiki/Access-control#authorization-header) to security and is often a point of security escalations. We recommend you do don't deploy it and get familiar with `kubectl`, if possible.
The Kubernetes [Dashboard](https://github.com/kubernetes/dashboard) provides a web UI to manage a Kubernetes cluster for those who prefer an alternative to `kubectl`.
## Create
Create the dashboard deployment and service.
```
kubectl apply -f addons/dashboard -R
```
## Access
Use `kubectl` to authenticate to the apiserver and create a local port forward to the remote port on the dashboard pod.
```sh
kubectl get pods -n kube-system
kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT
kubectl port-forward kubernetes-dashboard-id 9090 -n kube-system
```
!!! tip
If you'd like to expose the Dashboard via Ingress and add authentication, use a suitable OAuth2 proxy sidecar and pick your favorite OAuth2 provider.

View File

@ -7,5 +7,4 @@ Every Typhoon cluster is verified to work well with several post-install addons.
* [Heapster](heapster.md) * [Heapster](heapster.md)
* [Prometheus](prometheus.md) * [Prometheus](prometheus.md)
* [Grafana](grafana.md) * [Grafana](grafana.md)
* Kubernetes [Dashboard](dashboard.md)

View File

@ -51,7 +51,6 @@ pages:
- 'Nginx Ingress': 'addons/ingress.md' - 'Nginx Ingress': 'addons/ingress.md'
- 'Prometheus': 'addons/prometheus.md' - 'Prometheus': 'addons/prometheus.md'
- 'Grafana': 'addons/grafana.md' - 'Grafana': 'addons/grafana.md'
- 'Dashboard': 'addons/dashboard.md'
- 'Topics': - 'Topics':
- 'Maintenance': 'topics/maintenance.md' - 'Maintenance': 'topics/maintenance.md'
- 'Hardware': 'topics/hardware.md' - 'Hardware': 'topics/hardware.md'