k8s dashboard

Dashboard provides a graphical way to monitor and operate on the cluster.

On the master node, deploy dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

sometimes just to delete dashboard, so can redeploy again

kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

Then host a proxy to the k8s api server.

kubectl proxy

or with some parameters

kubectl proxy --accept-hosts='^*$'  --address=192.168.0.13  --disable-filter=true

This reates a proxy server or application-level gateway between localhost and the Kubernetes API Server.

By default the port is 8001.

    ...

Starting to serve on 127.0.0.1:8001


With 'kubectl proxy' the dashboard can ONLY be accessed from the machine where 'kubectl proxy' command is run, i.e. localhost.

Check if the dashboard service it up and running.

kubectl get services --all-namespaces

NAMESPACE              NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE

default                kubernetes                  ClusterIP   10.96.0.1        <none>        443/TCP                  21h

kube-system            kube-dns                    ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   21h

kubernetes-dashboard   dashboard-metrics-scraper   ClusterIP   10.108.205.80    <none>        8000/TCP                 45m

kubernetes-dashboard   kubernetes-dashboard        ClusterIP   10.105.209.136   <none>        443/TCP                  45m

Now go to browser from the local machine. Note the url could change over time, check offical website to confirm.

      http://192.168.0.13:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

A web page will show up:

Here we need to generate a token to access the dashboard.

Firstly create a Service Account with name admin-user in namespace kubernetes-dashboard first.

apiVersion: v1

kind: ServiceAccount

metadata:

  name: admin-user

  namespace: kubernetes-dashboard

Save above to e.g. dashboard-adminuser.yaml and run to create a service account

kubectl apply -f dashboard-adminuser.yaml 

Secondly bind the new service account to a Cluster Role.

in most cases after installing kubeadm, the ClusterRole cluster-admin already exists in the cluster. We can use it and create only ClusterRoleBinding for our ServiceAccount. If it does not exist then you need to create this role first and grant required privileges manually.

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: admin-user

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: cluster-admin

subjects:

- kind: ServiceAccount

  name: admin-user

  namespace: kubernetes-dashboard

Save above to e.g. dashboard-rolebinding.yaml and run

kubectl apply -f dashboard-rolebinding.yaml 

Finally generate a Bearer Token for logging into the dashboard web page.

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

-n is for namespace

kubectl get secret get the secrets but only the admin-user is grepped

the kubectl describe secret finally prints the token.

It prints something like below:

Name:         admin-user-token-mbp8v

Namespace:    kubernetes-dashboard

Labels:       <none>

Annotations:  kubernetes.io/service-account.name: admin-user

  kubernetes.io/service-account.uid: 7299cb52-5f52-4d24-8329-5b8c53915af5

Type:  kubernetes.io/service-account-token

Data

====

namespace:  20 bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjRQOE9Id2VueFhxTHotYVk2QXBQR1BIMlc0QUFxYURUdHQ0S3FmT2xOUlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLW1icDh2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3Mjk5Y2I1Mi01ZjUyLTRkMjQtODMyOS01YjhjNTM5MTVhZjUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.NZH2YpNoTyAKC8h2d5KihwC5eozvYJwGZmCuurIMoB5prEVgWswX82ygOoIh7ZRh762FAwwQr9jk50af2_ISbson82qXqOmXJHNb9Zy2UIBZa4KiWGaplkmj1XjPDwVRhesjeq4oFwE_rzqdP58gqN_E01bedQ-90JwS3SUmg4YrNpb89DwCEQjP4AmZc73ZxZ0AaChFQRi8l_DbB9h25mWN5fBLC5D3DmOmX-3PRRYs7W1LpoOI4ijFskWZ8R4VfDi6yP54fIBK_9gI65cdCA31Gl3aCbZ2k9vCIdw0rjICHQ1jAKNdV8Kk2yLaGMvB6SOvaWF-Af7HlOMhfGsi3A

ca.crt:     1025 bytes

Simply copy the token and paste it onto the previous login page and continue.

Note again, if accessing the same dashboard url from external ip, it will show up the login page as well, but won't do anything after typing in the token to log in. The http url is unsafe and it doesn't allow access from external.

Login to dashboard from external IP

If the API server is open to external (which it is by default), then we can acess the dashboard through API Server.

The URL is https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Again need to check the official website to confirm the url. the part after /api/ ... is the same as the url provided by kubectl proxy above.

So go to below, note its https and a different port.

https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

It will get the "403 forbidden" message for user system:anonymous.

That's because the latest k8s RBAC role based authentication control assign annonymous users if not certified.

For API server, it uses certificate to authenticate.

Lets generate a certificate from the /etc/kubernetes/admin.conf, which is copied to $HOME/.kube/config

firstly generate certificate data

grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt

secondly generate key data

grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key

finally generate the p12 certificate. it will prompt to enter a password for using the p12. 

openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

Now copy / pscp the kubecfg.p12 file to the machine where you want to visit the dashboard. also keep the password above safe.

Go to Chrome's "manage certificates" and import the p12 file, it will ask for the password entered previously as well to be able to use the p12.

Close Chrome and open again.

Go the url again, it will prompt to use the p12 certificate and click yes/ok.

https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Then the login page pops up. 

Enter the Bearer token generated previously.

you are in!