Securing Fabric8 console

[Rui Silva]

Hello,

I am new to Fabric8. I have Fabric8 working with Kubernetes on AWS. So far so good, problem is, I can't find any documentation on how to secure Fabric8 Console. It is open for the public without any authentication what so ever. Nothing in the documentation covers how can we secure the console. What am I mssing here? Seems like a simple thing that should be configured somehow. I would expect a master user and ability to create other users with different permissions.

Rui

[Rui Silva]

Also I noticed something really strange. I create an application successfully, when I close that window, and go back to the Team dashboard I can't find my application anymore, it is like the applications are not stored.

[Rui Silva]

With a Vanilla kubernetes cluster installed on AWS and with the latest verion of fabric8, I am affraid to say that there is a lot of things that simply don't work as expected. This is such a shame for such a promising and exciting project like Fabric8. It seems to me that currently Fabric8 is used in an openshift enviroment mainly, as the Kubernetes+AWS setup I don't read much information about it, nor does the current version works out of the box. The following are the problems I found so far:

1) The publish to docker container does not work. I needed to add the --insecure-registry flag to every docker container.

2) Creating an application on a team, if I leave that page I cannot find that application project anymore. It is like the project is not saved

3) Can't find a way to secure / create users on Farbric8 console

4) Can't connect to the pods terminal on the Fabric8 console (When clicking the terminal icon it fails to open the terminal as says I don't have permissions)

5) Can't access pods logs on Fabric8 console (the log viewer freezes and nothing shows

So far those are the problems I have experienced. I think it would save days of frustration to share this limitations on the Documentation page. If someone helps me, I am available to complete the documentation for Kubernetes + AWS. Did not took the time to dive into the code yet, but so far I am finding it is hard to opt for Fabric8 with Kubernetes on AWS as things just do not work

[Christian Posta]

Hey! 

So afaik, Fabric8 will use whatever the underlying Kubernetes' authentication mechanisms. So for a vanilla Kubernetes install, I believe there's not any security. On GKE I think it uses the google oauth mechanisms and for OpenShift uses OpenShift's security. 

I suppose you could write plugins to secure the console itself, but really the part that you want to secure is the Kubernetes API. 

HTH!

--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Christian Posta

twitter: @christianposta

http://www.christianposta.com/blog

http://fabric8.io

[Christian Posta]

that is strange.. i believe fabric8 creates "Deployment" resources/objects to track these apps... can you check with the 'kubectl' command line if there are indeed deployments?

"kubectl get deployments --namepsace=default"

http://kubernetes.io/docs/user-guide/deployments/

Maybe can you open an issue here: http://github.com/fabric8io/fabric8

--

You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Christian Posta]

On Thu, Aug 4, 2016 at 8:49 AM, Rui Silva <rui.ped...@gmail.com> wrote:

With a Vanilla kubernetes cluster installed on AWS and with the latest verion of fabric8, I am affraid to say that there is a lot of things that simply don't work as expected. This is such a shame for such a promising and exciting project like Fabric8.

Damn! Sorry to hear your frustration. We'd like to help get these fixed ASAP. Can you open an issues (http://github.com/fabric8io/fabric8) for these?

Or maybe this is your issue report? https://github.com/fabric8io/fabric8/issues/6213

Many apologies many of the core engineers are on PTO these last few weeks. Nevertheless, let's get these tracked in the issue tracker and we'll sort them for you ASAP!

 

It seems to me that currently Fabric8 is used in an openshift enviroment mainly, as the Kubernetes+AWS setup I don't read much information about it, nor does the current version works out of the box. The following are the problems I found so far:

1) The publish to docker container does not work. I needed to add the --insecure-registry flag to every docker container.

2) Creating an application on a team, if I leave that page I cannot find that application project anymore. It is like the project is not saved

3) Can't find a way to secure / create users on Farbric8 console

4) Can't connect to the pods terminal on the Fabric8 console (When clicking the terminal icon it fails to open the terminal as says I don't have permissions)

5) Can't access pods logs on Fabric8 console (the log viewer freezes and nothing shows

So far those are the problems I have experienced. I think it would save days of frustration to share this limitations on the Documentation page. If someone helps me, I am available to complete the documentation for Kubernetes + AWS. Did not took the time to dive into the code yet, but so far I am finding it is hard to opt for Fabric8 with Kubernetes on AWS as things just do not work

quinta-feira, 4 de Agosto de 2016 às 16:04:53 UTC+1, Rui Silva escreveu:

Also I noticed something really strange. I create an application successfully, when I close that window, and go back to the Team dashboard I can't find my application anymore, it is like the applications are not stored.

quarta-feira, 3 de Agosto de 2016 às 15:11:39 UTC+1, Rui Silva escreveu:

Hello,

I am new to Fabric8. I have Fabric8 working with Kubernetes on AWS. So far so good, problem is, I can't find any documentation on how to secure Fabric8 Console. It is open for the public without any authentication what so ever. Nothing in the documentation covers how can we secure the console. What am I mssing here? Seems like a simple thing that should be configured somehow. I would expect a master user and ability to create other users with different permissions.

Rui

--

You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Venkat K]

Hello:

A very promising solution particularly for polyglots like us and thank you for all the great work. I have been playing with this on AWS. I have also ran into many of the same issues and I wish I had looked into this topic ten days earlier.

I would like to add to the list the following:

1. Even if I change the source secret, only gogsadmin is used. I had artificially created a gogsadmin account in bitbucket to import a existing repo.

2. To find the gogsadmin password was a huge effort and I almost gave up. Even the fabric8 gogs dockerfile contained misleading information. Finally I found that in chat transcript.

3. Pipeline selection doesn't show up for certain type of projects like ruby on rails. I did find the pipeline in the library and had to perform certain kind of dance to get it all setup.

4. UI does freeze up frequently and apps list blank but reloading the page makes it appear.

5. There is no persistence of data on disk in AWS so when I restarted the docker for insecure registry it wiped out everything.

6. Wish the services are only exposed by default through kubernetes API (basic auth protected)

If two things someone can help that would help in taking this deploy to production.

1. Allow any source secret and not just gogsadmin. (At least some help to troubleshoot  / workaround this)

2. Setup instructions for persisting the services data through some AWS volume

Thanks again.

Warm Regards,

Venkat.

On Friday, 5 August 2016 19:38:06 UTC+5:30, Christian Posta wrote:

Hey! 

So afaik, Fabric8 will use whatever the underlying Kubernetes' authentication mechanisms. So for a vanilla Kubernetes install, I believe there's not any security. On GKE I think it uses the google oauth mechanisms and for OpenShift uses OpenShift's security. 

I suppose you could write plugins to secure the console itself, but really the part that you want to secure is the Kubernetes API. 

HTH!

On Wed, Aug 3, 2016 at 7:11 AM, Rui Silva <rui.ped...@gmail.com> wrote:

Hello,

I am new to Fabric8. I have Fabric8 working with Kubernetes on AWS. So far so good, problem is, I can't find any documentation on how to secure Fabric8 Console. It is open for the public without any authentication what so ever. Nothing in the documentation covers how can we secure the console. What am I mssing here? Seems like a simple thing that should be configured somehow. I would expect a master user and ability to create other users with different permissions.

Rui

--
You received this message because you are subscribed to the Google Groups "fabric8" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[James Rawlings]

Hi Ventak,

Thanks for all the feedback - keep it coming.  We know there's a few things we still need to look at asap like securing the console and supporting persistence in our core apps like Gogs.  We are actively working on these and hope to have them released and available soon.

I've also aded a few more comments below

James.

--
James Rawlings
Engineering

Red Hat, Inc.

Blog: https://medium.com/@jdrawlings

Twitter: @jdrawlings

http://fabric8.io

https://medium.com/fabric8-io

On 29 Aug 2016, at 21:10, Venkat K <venkat.su...@gmail.com> wrote:

Hello:

A very promising solution particularly for polyglots like us and thank you for all the great work. I have been playing with this on AWS. I have also ran into many of the same issues and I wish I had looked into this topic ten days earlier.

I would like to add to the list the following:

1. Even if I change the source secret, only gogsadmin is used. I had artificially created a gogsadmin account in bitbucket to import a existing repo.

yeah I just noticed this myself - there's an open issue we're working here that you might want to track https://github.com/fabric8io/fabric8/issues/6293#issuecomment-243379847

2. To find the gogsadmin password was a huge effort and I almost gave up. Even the fabric8 gogs dockerfile contained misleading information. Finally I found that in chat transcript.

agreed - just raised https://github.com/fabric8io/fabric8/issues/6303

3. Pipeline selection doesn't show up for certain type of projects like ruby on rails. I did find the pipeline in the libraHi Ventak ry and had to perform certain kind of dance to get it all setup.

yeah this was spotted this weekend actually, should have a fix soon https://github.com/fabric8io/fabric8/issues/6294#issuecomment-243281968

4. UI does freeze up frequently and apps list blank but reloading the page makes it appear.

I've also noticed this, next time you hit this would you mind checking the browser javascript console logs and pop them in the issue I just raised https://github.com/fabric8io/fabric8/issues/6304

5. There is no persistence of data on disk in AWS so when I restarted the docker for insecure registry it wiped out everything.

yeah - definitely our #1 requested feature, it's actively being worked on and can be tracked here https://github.com/fabric8io/fabric8/issues/4413

6. Wish the services are only exposed by default through kubernetes API (basic auth protected)

as opposed to using ingress? yeah I guess we could force that although anyone would still be able to manually expose the services.  I hope instead we can add basic auth OOTB instead pretty soon. existing issue to be tracked https://github.com/fabric8io/fabric8-console/issues/206

If two things someone can help that would help in taking this deploy to production.

1. Allow any source secret and not just gogsadmin. (At least some help to troubleshoot  / workaround this)

definitely, actively working on this and hope to be fixed soon

2. Setup instructions for persisting the services data through some AWS volume

agreed - there's some manual steps add by Antonin in the issue I mentioned above as a temp workaround until we sort it properly - https://github.com/fabric8io/fabric8/issues/4413#issuecomment-243370143