Troubleshooting: Auth header for Kubernetes-dashboard in ingress-nginx

20 views
Skip to first unread message

Jan Malaník

unread,
Feb 11, 2025, 7:43:21 AMFeb 11
to kubernetes-sig-ui

Hi,

I deployed kubernetes-dashboard(https://github.com/kubernetes/dashboard) component and enabled access ingress-nginx(https://github.com/kubernetes/ingress-nginx).

I can login manually using bearer token.

 

I'd like to use automatic authentication using a header added by ingress-nginx to ingress because whole setup is using basic auth to protect all resources(SSO will come later).

 

I found only one paragraph In documentation:

 "To make Dashboard use authorization header you simply need to pass Authorization: Bearer <token> in every request to Dashboard. This can be achieved i.e. by configuring reverse proxy in front of Dashboard. Proxy will be responsible for authentication with identity provider and will pass generated token in request header to Dashboard. Note that Kubernetes API server needs to be configured properly to accept these tokens."

In file: https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md

 

I tried Requestly but it do not register any traffic. I suspect VPN configuration/security rules applied by company policies.

 

Can you advise howto troubleshoot the problem?

 

In log for kubernetes-dashboard-auth  I can see:

kubectl -n monitoring logs services/kubernetes-dashboard-auth 

E0211 11:58:26.612060       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"

 

 

Thank you, Jan

 

# kubernetes-dashboard is deployed in default using:

helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace monitoring

 

 

Below are relevant configs:

#ingress

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: sg-ingress-k8s-dashboard

  namespace: monitoring #ingress-nginx

  annotations:

#    nginx.ingress.kubernetes.io/auth-type: basic

#    nginx.ingress.kubernetes.io/auth-realm: 'To access this  website you are required to authenticate.'

#    nginx.ingress.kubernetes.io/auth-secret: 'sg-basic-auth'

    nginx.ingress.kubernetes.io/use-regex: "true"

    nginx.ingress.kubernetes.io/rewrite-target: /$1

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

    nginx.ingress.kubernetes.io/configuration-snippet: |

      more_set_headers "Authorization: super-long-secret-token"

 

 

spec:                                                                                                                                                             

  ingressClassName: nginx

  tls:

  - hosts:

    -  kubernetes.domain.com

    secretName: sg-tls-secret

  rules:

  - host: kubernetes.domain.com

    http:

      paths:

      - path: /(.*)

        pathType: ImplementationSpecific

        backend:

          service:

            name: kubernetes-dashboard-kong-proxy

            port:

              number: 443


Configuration-snippets are allowed in ingress controller configmap:

apiVersion: v1

kind: ConfigMap

metadata:

  name: ingress-nginx-configmap

controller:

  allowSnippetAnnotations: true

  hostNetwork: true

  nodeSelector:

    kubernetes.io/hostname: team

  config:

    annotations-risk-level: Critical

 

 

Reply all
Reply to author
Forward
0 new messages