Dashboard is a web-based Kubernetes user interface.
Pre-requisites
We are using our Kubernetes homelab to deploy the dashboard.
Install Kubernetes Dashboard
To deploy the dashboard, run the following command:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
Accessing the Dashboard UI
Dashboard deploys with a minimal RBAC configuration by default. The dashboard service account created here will have administrative privileges and is for homelab purposes only.
Create a dashboard service account in the default namespace:
$ kubectl -n default create serviceaccount dashboard
Create a dashboard-admin cluster role binding. This binds the dashboard service account to the cluster-admin role to have super-user access to perform any action on any resource.
$ kubectl -n default create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=default:dashboard
A role can only be used to grant access to resources within a single namespace. A cluster role can be used to grant the same permissions as a role, but because they are cluster-scoped, they are not tied to a namespace.
Create a cluster role binding that adds the system:anonymous user to the cluster-admin role. This setup is useful when unauthenticated access to the Kubernetes API is desired and is acceptable for a homelab environment, but is not recommended on a production cluster. Do not elevate accounts to cluster-admin unless you know what you are doing.
$ kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
Get a dashboard token:
$ kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}"|base64 -d;echo
We can access the dashboard using the following command:
$ kubectl proxy
Kubectl will make dashboard available at:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
The problem with this approach is that the UI can only be accessed from the machine where the command is executed. While it’s not necessary, I’ve created a load balancer in order to access the dashboard on a FQDN using kube-apiserver port:
https://dashboard.apps.hl.test:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Thank You
It’ s fine for me with this approach is that the UI can only be accessed from the machine where the command is executed
ie:
$ ssh -L localhost:1234:localhost:8001 ansible@srv31
$ http:// localhost:1234/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
But after i don’t know how to:
configure your load balancer in order to access the dashboard on a FQDN using kube-apiserver port.
* Is this a CNAME the value of ? dashboard.apps.hl.test = {{ k8s_ha_dns }}
Hi, yes, for that to work you have to create a load balancer, e.g HAProxy, Nginx or Istio. In my case dashboard.apps.hl.test is an A record to the IP address of the load balancer.
Hello,
This tutorial is one the best I have found so far, easy to follow and almost complete. I have to do a little bit of research to get 3 masters, 3 nodes and 1 haproxy. everything works great except. the dashboar.
I am trying to access from my local machine this way “https://haproxy.thelocaldiveshop.com:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/”
and I ge the response below. because the user is incorrect and fail authentication
kind “Status”
apiVersion “v1”
metadata {}
status “Failure”
message “services \”https:kubernetes-dashboard:\” is forbidden: User \”system:anonymous\” cannot get resource \”services/proxy\” in API group \”\” in the namespace \”kubernetes-dashboard\””
reason “Forbidden”
details
name “https:kubernetes-dashboard:”
kind “services”
code 403
Hi Ivan, add the following rules to the ClusterRole that you are using:
- verbs: - "get" - "create" - "delete" apiGroups: - '' resources: - services/proxyHello and thank you for answering my question
which yaml will be this one?
Ivan
It would be the YAML file that you used to define your ClusterRole. Did you follow instructions provided in the article, or did you create your own role?
I ran the following kubectl edit clusterrole system:node -o yaml and added the changes. still the response. I think need to install httpd and run a proxy in the haproxy server
Did you follow instructions provided in the article, or did you create your own role?
I had followed your article and all of the step were successful. Not clear in what to do with the token!
Can you access the dashboard using kubectl proxy? The token is required in order to log in.