Dashboard
K8s dashboard tricks.
Deploy it.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Proxy.
kubectl proxy
Access.
cat > /tmp/k8s-dashboard-public.yml <<EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
Apply:
kubectl create -f /tmp/k8s-dashboard-public.yml
This is not recommended for production environments.
Create a user called
admin-user
cat > /tmp/k8s-user.yml <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
EOF
Apply:
kubectl apply -f /tmp/k8s-user.yml
Get token:
kubectl -n kube-system \
describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
kubectl cluster-info
If you are using kubectl proxy, the dashboard URL should be:
Edit kubernetes-dashboard service:
kubectl -n kube-system edit service kubernetes-dashboard
You should see yaml representation of the service. Change
type: ClusterIP
to type: NodePort
and save file.Next we need to check port on which Dashboard was exposed.
$ kubectl -n kube-system get service kubernetes-dashboard
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard 10.100.124.90 <nodes> 443:31707/TCP 21h
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707.
master-ip
can be found by executing kubectl cluster-info
Deploy it.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
Proxy.
kubectl proxy
Access.
Create a user called
dashboard-admin-user
cat > /tmp/k8s-user.yml <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin-user
namespace: kubernetes-dashboard
EOF
Apply:
kubectl apply -f /tmp/k8s-user.yml
Get token:
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secrets |grep dashboard-admin-user-token | awk '{print $1}')
You need a dashboard.key and dashboard.crt files for HTTPS.
It is easy to create self signed ones like so:
mkdir $HOME/certs
cd $HOME/certs
openssl genrsa -out dashboard.key 2048
openssl rsa -in dashboard.key -out dashboard.key
openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Replace
localhost
accordingly.Next, load the certificates into a secret:
kubectl -n kube-system \
create secret generic kubernetes-dashboard-certs \
--from-file=$HOME/certs
Use the recommended setup to magically deploy the kubernetes-dashboard service account, role, rolebinding, deployment and service.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
Find the dashboard replica set:
kubectl -n kube-system get rs
If the desired, current and ready counts are all 1, then congratulations! You can skip to step 5.
Otherwise, if desired is 1 but current and ready counts are 0, then chances are you using Pod Security Policy - in the absense of a valid policy, the default is to reject.
Get the details:
kubectl -n kube-system describe rs kubernetes-dashboard-xxxxxxxxxx
If you see a message such as unable to validate against any pod security policy: [], then continue to step 4.
If you haven’t already done so, create an appropriate Pod Security Policy that will be used to create the dashboard pod.
Tweak to your requirements. A permissive example but blocking privileged mode:
kubectl -n kube-system create -f - <<EOF
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: dashboard
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
EOF
kubectl -n kube-system create role psp:dashboard --verb=use --resource=podsecuritypolicy --resource-name=dashboard
kubectl -n kube-system create rolebinding kubernetes-dashboard-policy --role=psp:dashboard --serviceaccount=kube-system:kubernetes-dashboard
Check that the output of the following command is
yes
:kubectl --as=system:serviceaccount:kube-system:kubernetes-dashboard -n kube-system auth can-i use podsecuritypolicy/dashboard
After a while, check the status of your replica set and it should now have been able to create the pods!
If you still have trouble, check that the permissions of your PSP are appropriate for the dashboard (this is left as an exercise for the reader).
Finally, we can expose the dashboard service on a NodePort. This will allow it to be publically accessible via a port forwarded on the Kubernetes hosts.
Edit the
kubernetes-dashboard
service and change the following options:spec.type
fromClusterIP
toNodePort
spec.ports[0].nodePort
from32641
to whatever port you want it to be exposed on
kubectl -n kube-system edit service kubernetes-dashboard
When you save the close the text file, find out which port was allocated:
# kubectl -n kube-system get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP ... <none> 53/UDP,53/TCP 28d
kubernetes-dashboard NodePort ... <none> 443:32641/TCP 27m
Here you can see that the dashboard was assigned port 32641. It should now be accessible in your browser on that port, and because we created a self-signed (or installed a valid) certificate, you won’t run into the corrupt certificate problem on Windows clients.
Then access https://YOUR.MASTER.IP:32641
Last modified 3yr ago