kubectl -n kube-system edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
Next we need to check port on which Dashboard was exposed.
$ kubectl -n kube-system get service kubernetes-dashboard
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard 10.100.124.90 <nodes> 443:31707/TCP 21h
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info
If the desired, current and ready counts are all 1, then congratulations! You can skip to step 5.
Otherwise, if desired is 1 but current and ready counts are 0, then chances are you using Pod Security Policy - in the absense of a valid policy, the default is to reject.
Check that the output of the following command is yes:
kubectl --as=system:serviceaccount:kube-system:kubernetes-dashboard -n kube-system auth can-i use podsecuritypolicy/dashboard
After a while, check the status of your replica set and it should now have been able to create the pods!
If you still have trouble, check that the permissions of your PSP are appropriate for the dashboard (this is left as an exercise for the reader).
5. Expose dashboard service on a NodePort
Finally, we can expose the dashboard service on a NodePort. This will allow it to be publically accessible via a port forwarded on the Kubernetes hosts.
Edit the kubernetes-dashboard service and change the following options:
spec.type from ClusterIP to NodePort
spec.ports[0].nodePort from 32641 to whatever port you want it to be exposed on
kubectl -n kube-system edit service kubernetes-dashboard
When you save the close the text file, find out which port was allocated:
# kubectl -n kube-system get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP ... <none> 53/UDP,53/TCP 28d
kubernetes-dashboard NodePort ... <none> 443:32641/TCP 27m
Here you can see that the dashboard was assigned port 32641. It should now be accessible in your browser on that port, and because we created a self-signed (or installed a valid) certificate, you won’t run into the corrupt certificate problem on Windows clients.