k8s dashboard

Here we need to generate a token to access the dashboard.

Firstly create a Service Account with name admin-user in namespace kubernetes-dashboard first.

apiVersion: v1

kind: ServiceAccount

metadata:

  name: admin-user

  namespace: kubernetes-dashboard

Save above to e.g. dashboard-adminuser.yaml and run to create a service account

kubectl apply -f dashboard-adminuser.yaml 

Secondly bind the new service account to a Cluster Role.

in most cases after installing kubeadm, the ClusterRole cluster-admin already exists in the cluster. We can use it and create only ClusterRoleBinding for our ServiceAccount. If it does not exist then you need to create this role first and grant required privileges manually.

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: admin-user

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: cluster-admin

subjects:

- kind: ServiceAccount

  name: admin-user

  namespace: kubernetes-dashboard

Save above to e.g. dashboard-rolebinding.yaml and run

kubectl apply -f dashboard-rolebinding.yaml 

Finally generate a Bearer Token for logging into the dashboard web page.

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

-n is for namespace

kubectl get secret get the secrets but only the admin-user is grepped

the kubectl describe secret finally prints the token.

It prints something like below:

Name:         admin-user-token-mbp8v

Namespace:    kubernetes-dashboard

Labels:       <none>

Annotations:  kubernetes.io/service-account.name: admin-user

  kubernetes.io/service-account.uid: 7299cb52-5f52-4d24-8329-5b8c53915af5

Type:  kubernetes.io/service-account-token

Data

====

namespace:  20 bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjRQOE9Id2VueFhxTHotYVk2QXBQR1BIMlc0QUFxYURUdHQ0S3FmT2xOUlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLW1icDh2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3Mjk5Y2I1Mi01ZjUyLTRkMjQtODMyOS01YjhjNTM5MTVhZjUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.NZH2YpNoTyAKC8h2d5KihwC5eozvYJwGZmCuurIMoB5prEVgWswX82ygOoIh7ZRh762FAwwQr9jk50af2_ISbson82qXqOmXJHNb9Zy2UIBZa4KiWGaplkmj1XjPDwVRhesjeq4oFwE_rzqdP58gqN_E01bedQ-90JwS3SUmg4YrNpb89DwCEQjP4AmZc73ZxZ0AaChFQRi8l_DbB9h25mWN5fBLC5D3DmOmX-3PRRYs7W1LpoOI4ijFskWZ8R4VfDi6yP54fIBK_9gI65cdCA31Gl3aCbZ2k9vCIdw0rjICHQ1jAKNdV8Kk2yLaGMvB6SOvaWF-Af7HlOMhfGsi3A

ca.crt:     1025 bytes

Simply copy the token and paste it onto the previous login page and continue.

Note again, if accessing the same dashboard url from external ip, it will show up the login page as well, but won't do anything after typing in the token to log in. The http url is unsafe and it doesn't allow access from external.

Login to dashboard from external IP

If the API server is open to external (which it is by default), then we can acess the dashboard through API Server.

The URL is https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Again need to check the official website to confirm the url. the part after /api/ ... is the same as the url provided by kubectl proxy above.

So go to below, note its https and a different port.

https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

It will get the "403 forbidden" message for user system:anonymous.

That's because the latest k8s RBAC role based authentication control assign annonymous users if not certified.

For API server, it uses certificate to authenticate.

Lets generate a certificate from the /etc/kubernetes/admin.conf, which is copied to $HOME/.kube/config

firstly generate certificate data

grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt

secondly generate key data

grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key

finally generate the p12 certificate. it will prompt to enter a password for using the p12. 

openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

Now copy / pscp the kubecfg.p12 file to the machine where you want to visit the dashboard. also keep the password above safe.

Go to Chrome's "manage certificates" and import the p12 file, it will ask for the password entered previously as well to be able to use the p12.

Close Chrome and open again.

Go the url again, it will prompt to use the p12 certificate and click yes/ok.

https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Then the login page pops up. 

Enter the Bearer token generated previously.

you are in!