kubernetes/dashboard kubernetes-dashboard-7.0.0

on GitHub

Breaking change

API container

It is now fully stateless, meaning it does not rely on Kubernetes resources to run. It will always require an authorization token to be present to authorize the request. It is no longer possible for the API container to use its own SA privileges to skip authorization. All arguments that were frontend specific have either been removed or moved to the Web container.

• The JWE encrypted token has been removed completely and we now rely fully on standard JWT tokens. This change has significantly simplified the auth flow.
• The Web container now manages Settings ConfigMap
• The plugin system has been removed as it was outdated and not working anymore. Currently, there is no plan to reintroduce it as it would require too much effort to maintain.
• Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from CSRF_KEY environment variable.

Auth container

Authentication logic is now handled by the new dashboard auth container. Currently, it only exposes /login endpoint. We will also add support for OIDC with OAuth flow and /me endpoint in the future.

• Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from CSRF_KEY environment variable.

Web container

• Settings save now uses user permissions instead of Dashboard.
• Removed restore settings ConfigMap logic
• Increased default resource autorefresh time interval to 10 seconds
• Added a small script to index.html to dynamically generate tag.

Go backend

• The backend now handles frontend settings and uses ConfigMap to store them.
• Settings backend has been updated to handle merge with default options properly in case ConfigMap does not contain all available options.
• Replaced restful-go with gin as main web framework

Angular frontend

Since API requires from the user to always provide Authorization: Bearer <token> now, there is no way to skip login and act as a Dashboard.

• Removed support for authentication options other than token on the login screen
• Removed support for skip login option
• Slightly updated login view
• Fixed an issue with zero state not being correctly displayed on some pages

Kong gateway

Since the number of our containers is growing as we split parts of the logic, we have decided to use a gateway that will connect all of them and ensure the Dashboard is working properly. There were a couple of reasons to choose Kong:

• Open Source with proper license
• Support for DBless configuration
• Easily configurable
• Popular
• Single container gateway when running in DBless mode

It will now be a required dependency that we use to expose the Dashboard. Users can then reconfigure it or use another proxy in front of it. It will simply act as a single point when accessing the Kubernetes Dashboard.

Metrics scraper

• Changed sqlite Go dependency to used driver implementation that does not require CGO_ENABLED=1 during the build. It is a pure Go implementation.

Helm chart

This is a complete overhaul of the helm chart. It includes:

• Added DBless, single-container kong deployment as a default gateway for the Kubernetes Dashboard. This is a required dependency.
• Settings ConfigMap name/namespace is now configurable via values.yaml → web.settings.configMap entry.
• Scaling configuration has been split to allow configuring replicas per every container separately.
• Metrics scraper service name is no longer hardcoded in the API container. Its name is now generated similarly to other deployments/services.
• CSRF key is now generated by the helm and imported as an env var into the containers. This allowed us to drop generation logic and direct dependency on this secret from code.
• Image pull secrets are now properly respected by all deployments.
• RBACs for every deployment have been separated to make sure that every container gets as little permissions as possible.
• Ingress configuration has been updated to be more flexible:
  • Dashboard can now be served more easily on a subpath simply by enabling app.ingress.enabled=true and app.ingress.path=/dashboard. It would serve Dashboard on https://localhost/dashboard by default.
  • Default annotations can now be disabled via app.ingress.useDefaultAnnotations=false
  • ingressClassName can now be skipped from spec and it should fallback to using default ingress class (if configured). It is controlled by app.ingress.useDefaultIngressClass.
• Helm chart now supports API only mode meaning that you can deploy only an API container. This can be achieved by below configuration:
  • app.mode=api
  • kong.enabled=false
  • Optionally you can also disable metrics with api.containers.args={--metrics-provider=none}
• cert-manager, nginx and metrics-server are now disabled by default. Only kong dependency is required.
• clusterReadOnlyRole has been removed since it is no longer possible to use Dashboard permissions to access the cluster. User access is required at all times.

Installation

helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard

Compatibility

• ✓ Fully supported version range.
• ? Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard.

Images

docker.io/kubernetesui/dashboard-api:1.2.0
docker.io/kubernetesui/dashboard-auth:1.1.0
docker.io/kubernetesui/dashboard-metrics-scraper:1.1.1
docker.io/kubernetesui/dashboard-web:1.2.0

What's Changed

• Mostly things described in Breaking change
• Dependency updates

Full Changelog: v3.0.0-alpha0...kubernetes-dashboard-7.0.0