Dashboard
K8s dashboard tricks.
v1.x
Deploy Dashboard
Deploy it.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yamlProxy.
kubectl proxyAccess.
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Reference
Dashboard permissions
Allow full public access
Apply:
This is not recommended for production environments.
Create user
Create a user called admin-user
Apply:
Get token:
References
https://github.com/kubernetes/dashboard/wiki/Creating-sample-user
Get dashboard URL
If you are using kubectl proxy, the dashboard URL should be:
Expose the Dashboard
Edit kubernetes-dashboard service:
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
Next we need to check port on which Dashboard was exposed.
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info
References
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
v2.x
Deploy Dashboard
Deploy it.
Proxy.
Access.
Reference
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
Dashboard permissions
Create user
Create a user called dashboard-admin-user
Apply:
Get token:
Deploying a publicly accessible Kubernetes Dashboard
1. Certificates
You need a dashboard.key and dashboard.crt files for HTTPS.
It is easy to create self signed ones like so:
Replace localhost accordingly.
Next, load the certificates into a secret:
2. Deploy dashboard
Use the recommended setup to magically deploy the kubernetes-dashboard service account, role, rolebinding, deployment and service.
3. Check if the replica set is fulfuilled
Find the dashboard replica set:
If the desired, current and ready counts are all 1, then congratulations! You can skip to step 5.
Otherwise, if desired is 1 but current and ready counts are 0, then chances are you using Pod Security Policy - in the absense of a valid policy, the default is to reject.
Get the details:
If you see a message such as unable to validate against any pod security policy: [], then continue to step 4.
4. Set up Pod Security Policy
If you haven’t already done so, create an appropriate Pod Security Policy that will be used to create the dashboard pod.
4.1 Create a PSP
Tweak to your requirements. A permissive example but blocking privileged mode:
4.2 Create a role to allow use of the PSP
4.3 Bind the role to kubernetes-dashboard service account
Check that the output of the following command is yes:
After a while, check the status of your replica set and it should now have been able to create the pods!
If you still have trouble, check that the permissions of your PSP are appropriate for the dashboard (this is left as an exercise for the reader).
5. Expose dashboard service on a NodePort
Finally, we can expose the dashboard service on a NodePort. This will allow it to be publically accessible via a port forwarded on the Kubernetes hosts.
Edit the kubernetes-dashboard service and change the following options:
spec.typefromClusterIPtoNodePortspec.ports[0].nodePortfrom32641to whatever port you want it to be exposed on
When you save the close the text file, find out which port was allocated:
Here you can see that the dashboard was assigned port 32641. It should now be accessible in your browser on that port, and because we created a self-signed (or installed a valid) certificate, you won’t run into the corrupt certificate problem on Windows clients.
Then access https://YOUR.MASTER.IP:32641
Reference
https://joshh.info/2018/kubernetes-dashboard-https-nodeport/
Last updated