k8s-dashboard-impersonation-proxy

command module

v0.4.0 Latest Latest Go to latest Published: Apr 15, 2024 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aslafy-z/k8s-dashboard-impersonation-proxy

Links

Open Source Insights

README ¶

k8s-dashboard-impersonation-proxy

This is a tool that injects authorization and remaps impersonation headers to the Kubernetes Dashboard format.

Kubernetes dashboard impersonation scheme

References:

Usage with nginx and oauth2-proxy

oauth2-proxy reference: https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/

oauth2-proxy with the --set-xauthrequest flag will set the following headers:

X-Auth-Request-Preferred-Username holding the username
X-Auth-Request-Groups holding the groups (comma separated)

This tool will remap these headers to the Kubernetes Dashboard impersonation headers:

Impersonate-User holding the username
Impersonate-Group holding the groups (one header per group)

Additionally, it will inject the Authorization header with the Bearer token sourced from a Kubernetes service account.

⚠️ Caution: This proxy works well with kubernetes-dashboard set to 1 replicas. ⚠️

Local development

$ go build
$ ./k8s-dashboard-impersonation-proxy
2023/04/12 16:31:24 Starting Server

$ curl http://localhost:8080
# should send request to target url

Setup

Automatically built Docker image can be found at ghcr.io/aslafy-z/k8s-dashboard-impersonation-proxy:latest. Latest being the latest release, you can replace it with any Git tag.

Demo

$ kind create cluster
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
$ kubectl apply -f https://raw.githubusercontent.com/aslafy-z/k8s-dashboard-impersonation-proxy/main/deploy/sample.yaml
$ kubectl wait deployment -n kubernetes-dashboard kubernetes-dashboard --for condition=Available=True
$ kubectl wait deployment -n kubernetes-dashboard k8s-dashboard-impersonation-proxy --for condition=Available=True
$ kubectl port-forward -n kubernetes-dashboard service/k8s-dashboard-impersonation-proxy 8080:80
$ curl http://localhost:8080/api/v1/service/default -H 'Impersonate-User: restricted-user'
# User 'restricted-user' CAN list services in default namespace
$ curl http://localhost:8080/api/v1/service/kube-system -H 'Impersonate-User: restricted-user'
# User 'restricted-user' CAN NOT list services in kube-system namespace
$ curl -vv http://localhost:8080/api/v1/service/kube-system -H 'Impersonate-User: admin' -H 'Impersonate-Group: system:masters'
# Group 'system:masters' CAN list services in default namespace

TBD - Sample Kubernetes setup with oauth2-proxy.

Contributing

Simply create an issue or a pull request.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL