kyma-project / busola

Web based Kubernetes Dashboard with a focus on privacy that requires no active components or special privileges in your cluster.
Apache License 2.0
26 stars 49 forks source link
dashboards hacktoberfest kubernetes

REUSE status

Busola

Overview

Busola is a web-based UI for managing resources within a Kubernetes cluster. It's based on the ReactJS library.

Subcomponents

Busola project contains additional sub-projects:

Prerequisites

Busola supports:

Installation

To install dependencies for the root and backend projects, and to prepare symlinks for local libraries within this repository, run the following command:

npm install

Read Install Kyma Dashboard manually to learn how to install the Dashboard with Istio Ingress and how to install it on a Kyma cluster.

Usage

Run the npm start command.

Configuration

Learn about the default configuration in Busola and how to change it.

Default Configuration

Busola is delivered with the following default settings:

Parameter Comment Default Value
features Switches a set of Busola features on and off. Use selectors to configure conditions for the features. To switch them off, set isEnabled=false. isEnabled=true
version Configuration version. Don’t edit this. Can be empty. the most recent release

Configuration sources

Busola configuration is the product of gathering and merging the configurations from several individual sources. The following list presents the sources in the order of precedence:

Backend:

Frontend:

Change the Configuration

If you have the required authorizations and access to the kubeconfig, you can change the settings for the Busola cluster configuration and the target cluster configuration.

With the feature toggles, you can switch each Busola feature on or off and configure them to fit your needs. Features comprise the following elements:

See the available Busola feature flags for more information.

Environment-Specific Settings

You can provide an override to the default configuration with your own environment-specific settings. Follow this pattern to structure your custom environment directory and place it in public/environments.

custom-env/
├── config
│   └── config.yaml
└── extensions
    ├── extensions.yaml
    └── wizards.yaml

[!WARNING] The extensions.yaml, statics.yaml, wizards.yaml, and config.yaml files are necessary for Busola to work properly.

To activate your environment configuration, create or edit the active.env file in the public directory. Follow this example of the active.env file:

ENVIRONMENT=your-environment-name

When ENVIRONMENT is set to my-env, Busola looks for your custom configuration in public/environemnt/my-env. If ENVIRONMENT is not set, Busola fetches the default configuration with the same structure as the custom configuration located in the public directory.

In the case of the Docker image, the active.env file is created at the startup of the image from the environment specified in the ENVIRONMENT variable.

Development

Start all views

Use the following command to run Busola locally:

npm start

After a while, open the http://localhost:8080 address in your browser, and provide your kubeconfig in the Connect cluster wizard.

Once you started Busola locally, you can begin the development. All modules have the hot-reload feature enabled, therefore, you can edit the code in real-time and see the changes in your browser.

The apps you started run at the following addresses:

Security countermeasures

When developing new features in Busola, adhere to the following rules. This will help you to mitigate any security-related threats.

  1. Prevent cross-site request forgery (XSRF).

    • Do not store the authentication token as a cookie. Make sure the token is sent to Busola backend as a bearer token.
    • Make sure that the state-changing operations (POST, PUT, DELETE, and UPDATE requests) are only triggered upon explicit user interactions, such as form submissions.
    • Keep in mind that UI rendering in response to the user navigating between views is only allowed to trigger read-only operations (GET requests) without any data mutations.
  2. Protect against cross-site scripting (XSS).

    • It is recommended to use JS frameworks that have built-in XSS prevention mechanisms, such as ReactJS, Vue.js, or Angular.
    • As a rule of thumb, you cannot perceive user input to be 100% safe. Get familiar with prevention mechanisms included in the framework of your choice. Make sure the user input is sanitized before it is embedded in the DOM tree.
    • Get familiar with the most common XSS bypasses and potential dangers. Keep them in mind when writing or reviewing the code.
    • Enable the Content-security-policy header for all new micro frontends to ensure in-depth XSS prevention. Do not allow for unsafe-eval policy.

Run tests

For the information on how to run tests and configure them, go to the tests directory.

Busola in Docker

Adding a cluster using kubeconfig ID

  1. If you run Busola in Docker, you can mount your kubeconfig as a bind mount for Busola container. Execute the following command:

    docker run --rm -it -p 3001:3001 -v <path to your kubeconfig>:/app/core-ui/kubeconfig/<your kubeconfig file name> --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest
  2. When you open Busola in your browser, go to http://localhost:3001?kubeconfigID={YOUR_KUBECONFIG_FILE_NAME}. Busola will try to download that file and add it for your Busola instance.

Set active environment

  1. To use one of the built-in environments in the busola-kyma image (dev, stage, prod), pass env ENVIRONMENT to the Docker container.
    docker run --rm -it -p 3001:3001 -v --env ENVIRONMENT={your-env}--pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola-kyma-web:latest
  2. To use a custom environment configuration, mount it in Docker and pass the ENVIRONMENT env to the Docker container.
    docker run --rm -it -p 3001:3001 -v <path to your custom config>:/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest

Troubleshooting

TIP: To solve most of the problems with Busola development, clear the browser cache or do a hard refresh of the website.

Connectivity Issues with Busola Against a k3d Cluster

Symptom

You are experiencing connectivity problems with Busola in Docker against a k3d cluster.

Cause

When the k3d cluster's API Server is exposed on the 0.0.0.0 address on your machine, Busola in Docker interprets 0.0.0.0 as its internal Docker address, routing the requests to the wrong endpoint.

Remedy

SSL Certificate Issue While Connecting to the API Server

Symptom

When you run Busola in Docker on macOS, it can't connect to the k3d cluster. The container log contains the following errors:

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: host.docker.internal. is not in the cert's altnames: DNS:k3d-k3s-default-server-0, DNS:k3d-k3s-default-serverlb, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, IP Address:0.0.0.0, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.28.0.3, IP Address:0:0:0:0:0:0:0:1

Cause

Busola run in a Docker container with the environment variable DOCKER_DESKTOP_CLUSTER=true replaces the IP 0.0.0.0 in the API Server URL with host.docker.internal. Kubernetes is not aware of that host name, so its API Server doesn't have it in the SSL certificate, which results in the above error.

Furthermore, this behavior has changed in the recent k3d versions, which is a result of this fix for this security issue.

Clusters created by k3d use a listener that extracts SNI host names from requests sent to the API server. If a new host name is requested, then the SSL certificate is regenerated, and the new host name is added to the list of Subject Alternative Names. Unfortunately, the security fix limits this mechanism only to the expected host names, like those related to Kubernetes nodes. This makes it useless for the host.docker.internal case.

Remedy

Provide the host.docker.internal host name upfront during k3d cluster creation:

k3d cluster create kyma --k3s-arg '--tls-san=host.docker.internal@server:*'

A cluster created in such a way has the host.docker.internal set as Subject Alternative Name in the SSL Certificate of the API Server since the very beginning.

Contributing

See the Contributing Rules.

Code of Conduct

See the Code of Conduct document.

Licensing

See the license file.