OpenShift: disabling the web console

OpenShift web console disable openshift-console

2 min read | by Jordi Prats

When running an OpenShift cluster we'll find that it exposes a web-based console that not only allows you to deploy applications, but also managing the cluster. However, since it is an additional way to access the cluster we might have some concerns about it, specially from the security perspective. Specifically, the console can be a potential attack vector to gain unauthorized access to the cluster. Let's see how to disable it.

We can find the console deployed, by default, in the openshift-console namespace:

$ kubectl get pods -n openshift-console NAME READY STATUS RESTARTS AGE console-7c7f7979c7-vbgq8 1/1 Running 0 1d console-7c7f7979c7-jprxx 1/1 Running 0 1d downloads-54f4dcfcd-9dpb5 1/1 Running 0 2d downloads-54f4dcfcb-b5nnm 1/1 Running 0 2d $ kubectl get route -n openshift-console NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD console console-openshift-console.apps.test-rosa.abcd.p1.openshiftapps.com console https reencrypt/Redirect None downloads downloads-openshift-console.apps.test-rosa.abcd.p1.openshiftapps.com downloads http edge/Redirect None

In OpenShift, there's an operator for everything: the web console couldn't be an exception. Using the console object that it's name is cluster we can configure it. If we retrieve it, default, there's not much configured:

$ kubectl get console cluster -n openshift-console -o yaml apiVersion: config.openshift.io/v1 kind: Console metadata:  annotations:  include.release.openshift.io/ibm-cloud-managed: "true"  include.release.openshift.io/self-managed-high-availability: "true"  include.release.openshift.io/single-node-developer: "true"  release.openshift.io/create-only: "true"  creationTimestamp: "2022-01-15T22:31:19Z"  generation: 1  name: cluster  ownerReferences:  - apiVersion: config.openshift.io/v1  kind: ClusterVersion  name: version  uid: 29c60660-ded7-4fdd-b41e-a236a57bea4d  resourceVersion: "56372107"  uid: 7f679be4-72ff-4f3d-a4f2-e35fd038e936 spec: {} status:  consoleURL: https://console-openshift-console.apps.test-rosa.abcd.p1.openshiftapps.com

To disable it, we'll need to set the spec.managementState attribute to Removed. We can do se with kubectl edit:

kubectl edit console cluster -n openshift-console

Adding the attribute to it:

$ kubectl get console cluster -n openshift-console -o yaml apiVersion: config.openshift.io/v1 kind: Console metadata:  annotations:  include.release.openshift.io/ibm-cloud-managed: "true"  include.release.openshift.io/self-managed-high-availability: "true"  include.release.openshift.io/single-node-developer: "true"  release.openshift.io/create-only: "true"  creationTimestamp: "2022-01-15T22:31:19Z"  generation: 1  name: cluster  ownerReferences:  - apiVersion: config.openshift.io/v1  kind: ClusterVersion  name: version  uid: 29c60660-ded7-4fdd-b41e-a236a57bea4d  resourceVersion: "56372107"  uid: 7f679be4-72ff-4f3d-a4f2-e35fd038e936 spec:  managementState: Removed status:  consoleURL: https://console-openshift-console.apps.test-rosa.abcd.p1.openshiftapps.com

Posted on 26/01/2023

Categories