Securing the dashboard in a kubernetes cluster

Hello
I would like to secure my dashboard, to do so I create a middleware and a secret
But for the instance its not working

my-dashboard-secret.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dashboard-auth
spec:
  basicAuth:
    secret: dashboard-secret

---
apiVersion: v1
kind: Secret
metadata:
  name: dashboard-secret
  namespace: default
data:
  dashboard-users.htpasswd: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Then I mounted the secret as volume in my traefik instance

my-traefik.yaml

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller

      # use the volume
      volumes:
      - name: vol-dashboard-users-file
        secret:
          # secret should be created manually from the dashboard-users.htpasswd file
          secretName: dashboard-secret

      containers:
        - name: traefik
          image: traefik:v2.3
          args:
            # secure mode
            - --api.dashboard=true

            - --entrypoints.web.address=:80
            - --entrypoints.web.http.redirections.entryPoint.to=websecure
            - --entrypoints.web.http.redirections.entryPoint.scheme=https
            - --entrypoints.websecure.address=:443
            - --entrypoints.websecure.http.tls
            - --providers.kubernetescrd
            - --certificatesresolvers.myresolver.acme.tlschallenge
            - --certificatesresolvers.myresolver.acme.email=xxxxxxxxxxx@gmail.com
            - --certificatesresolvers.myresolver.acme.storage=acme.json
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443

          # volume mounted
          volumeMounts:
          - mountPath: "/secrets/"
            name: vol-dashboard-users-file

Thanks for your help

Hello @harunaya,

Thanks for your interest in Traefik!

First, your secret does not have the required users key as described in the following documentation (check out the content of the Kubernetes tab). Your secret should be something like:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dashboard-auth
spec:
  basicAuth:
    secret: dashboard-secret

---
apiVersion: v1
kind: Secret
metadata:
  name: dashboard-secret
  namespace: default
data:
  # Here the encoded user:password is traefik:traefik
  users: |
    dHJhZWZpazokYXByMSQuVEhDTjUuNCRhSDdtR1dPMGxDUXU0Qi80Tkw0MGQxCg== 

Then you will have to create an IngressRoute to expose and secure the dashboard through Traefik. The router rule must be adapted to fit your needs as explained here.

Note: it's not needed to mount the dashboard-secret in the Traefik pod.

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      middlewares:
        - name: dashboard-auth
      services:
        - name: api@internal
          kind: TraefikService

Finally, you will be able to access your dashboard at: https://traefik.local/dashboard/

Hope this helps!

1 Like

Thanks for your help @kevinpollet
its working very well

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.