DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Dashboard
K8s dashboard tricks.

v1.x

Deploy Dashboard

Deploy it.
1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Copied!
Proxy.
1
kubectl proxy
Copied!
Access.

Reference

GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
GitHub

Dashboard permissions

Allow full public access

1
cat > /tmp/k8s-dashboard-public.yml <<EOF
2
apiVersion: rbac.authorization.k8s.io/v1beta1
3
kind: ClusterRoleBinding
4
metadata:
5
name: kubernetes-dashboard
6
labels:
7
k8s-app: kubernetes-dashboard
8
roleRef:
9
apiGroup: rbac.authorization.k8s.io
10
kind: ClusterRole
11
name: cluster-admin
12
subjects:
13
- kind: ServiceAccount
14
name: kubernetes-dashboard
15
namespace: kube-system
16
17
EOF
Copied!
Apply:
1
kubectl create -f /tmp/k8s-dashboard-public.yml
Copied!
This is not recommended for production environments.

Create user

Create a user called admin-user
1
cat > /tmp/k8s-user.yml <<EOF
2
---
3
apiVersion: v1
4
kind: ServiceAccount
5
metadata:
6
name: admin-user
7
namespace: kube-system
8
---
9
apiVersion: rbac.authorization.k8s.io/v1
10
kind: ClusterRoleBinding
11
metadata:
12
name: admin-user
13
roleRef:
14
apiGroup: rbac.authorization.k8s.io
15
kind: ClusterRole
16
name: cluster-admin
17
subjects:
18
- kind: ServiceAccount
19
name: admin-user
20
namespace: kube-system
21
22
EOF
Copied!
Apply:
1
kubectl apply -f /tmp/k8s-user.yml
Copied!
Get token:
1
kubectl -n kube-system \
2
describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Copied!

References

Get dashboard URL

1
kubectl cluster-info
Copied!
If you are using kubectl proxy, the dashboard URL should be:

Expose the Dashboard

Edit kubernetes-dashboard service:
1
kubectl -n kube-system edit service kubernetes-dashboard
Copied!
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
Next we need to check port on which Dashboard was exposed.
1
$ kubectl -n kube-system get service kubernetes-dashboard
2
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
3
kubernetes-dashboard 10.100.124.90 <nodes> 443:31707/TCP 21h
Copied!
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info

References

v2.x

Deploy Dashboard

Deploy it.
1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
Copied!
Proxy.
1
kubectl proxy
Copied!
Access.

Reference

Dashboard permissions

Create user

Create a user called dashboard-admin-user
1
cat > /tmp/k8s-user.yml <<EOF
2
---
3
apiVersion: v1
4
kind: ServiceAccount
5
metadata:
6
name: dashboard-admin-user
7
namespace: kubernetes-dashboard
8
---
9
apiVersion: rbac.authorization.k8s.io/v1
10
kind: ClusterRoleBinding
11
metadata:
12
name: dashboard-admin-user
13
roleRef:
14
apiGroup: rbac.authorization.k8s.io
15
kind: ClusterRole
16
name: cluster-admin
17
subjects:
18
- kind: ServiceAccount
19
name: dashboard-admin-user
20
namespace: kubernetes-dashboard
21
22
EOF
Copied!
Apply:
1
kubectl apply -f /tmp/k8s-user.yml
Copied!
Get token:
1
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secrets |grep dashboard-admin-user-token | awk '{print $1}')
Copied!

Deploying a publicly accessible Kubernetes Dashboard

1. Certificates

You need a dashboard.key and dashboard.crt files for HTTPS.
It is easy to create self signed ones like so:
1
mkdir $HOME/certs
2
cd $HOME/certs
3
openssl genrsa -out dashboard.key 2048
4
openssl rsa -in dashboard.key -out dashboard.key
5
openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=localhost'
6
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Copied!
Replace localhost accordingly.
Next, load the certificates into a secret:
1
kubectl -n kube-system \
2
create secret generic kubernetes-dashboard-certs \
3
--from-file=$HOME/certs
Copied!

2. Deploy dashboard

Use the recommended setup to magically deploy the kubernetes-dashboard service account, role, rolebinding, deployment and service.
1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
Copied!

3. Check if the replica set is fulfuilled

Find the dashboard replica set:
1
kubectl -n kube-system get rs
Copied!
If the desired, current and ready counts are all 1, then congratulations! You can skip to step 5.
Otherwise, if desired is 1 but current and ready counts are 0, then chances are you using Pod Security Policy - in the absense of a valid policy, the default is to reject.
Get the details:
1
kubectl -n kube-system describe rs kubernetes-dashboard-xxxxxxxxxx
Copied!
If you see a message such as unable to validate against any pod security policy: [], then continue to step 4.

4. Set up Pod Security Policy

If you haven’t already done so, create an appropriate Pod Security Policy that will be used to create the dashboard pod.

4.1 Create a PSP

Tweak to your requirements. A permissive example but blocking privileged mode:
1
kubectl -n kube-system create -f - <<EOF
2
apiVersion: extensions/v1beta1
3
kind: PodSecurityPolicy
4
metadata:
5
name: dashboard
6
spec:
7
privileged: false
8
seLinux:
9
rule: RunAsAny
10
supplementalGroups:
11
rule: RunAsAny
12
runAsUser:
13
rule: RunAsAny
14
fsGroup:
15
rule: RunAsAny
16
volumes:
17
- '*'
18
EOF
Copied!

4.2 Create a role to allow use of the PSP

1
kubectl -n kube-system create role psp:dashboard --verb=use --resource=podsecuritypolicy --resource-name=dashboard
Copied!

4.3 Bind the role to kubernetes-dashboard service account

1
kubectl -n kube-system create rolebinding kubernetes-dashboard-policy --role=psp:dashboard --serviceaccount=kube-system:kubernetes-dashboard
Copied!
Check that the output of the following command is yes:
1
kubectl --as=system:serviceaccount:kube-system:kubernetes-dashboard -n kube-system auth can-i use podsecuritypolicy/dashboard
Copied!
After a while, check the status of your replica set and it should now have been able to create the pods!
If you still have trouble, check that the permissions of your PSP are appropriate for the dashboard (this is left as an exercise for the reader).

5. Expose dashboard service on a NodePort

Finally, we can expose the dashboard service on a NodePort. This will allow it to be publically accessible via a port forwarded on the Kubernetes hosts.
Edit the kubernetes-dashboard service and change the following options:
  • spec.type from ClusterIP to NodePort
  • spec.ports[0].nodePort from 32641 to whatever port you want it to be exposed on
1
kubectl -n kube-system edit service kubernetes-dashboard
Copied!
When you save the close the text file, find out which port was allocated:
1
# kubectl -n kube-system get services
2
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
3
kube-dns ClusterIP ... <none> 53/UDP,53/TCP 28d
4
kubernetes-dashboard NodePort ... <none> 443:32641/TCP 27m
Copied!
Here you can see that the dashboard was assigned port 32641. It should now be accessible in your browser on that port, and because we created a self-signed (or installed a valid) certificate, you won’t run into the corrupt certificate problem on Windows clients.
Then access https://YOUR.MASTER.IP:32641

Reference