k8s dashboard
Dashboard provides a graphical way to monitor and operate on the cluster.
On the master node, deploy dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
sometimes just to delete dashboard, so can redeploy again
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
Then host a proxy to the k8s api server.
kubectl proxy
or with some parameters
kubectl proxy --accept-hosts='^*$' --address=192.168.0.13 --disable-filter=true
This reates a proxy server or application-level gateway between localhost and the Kubernetes API Server.
By default the port is 8001.
...
Starting to serve on 127.0.0.1:8001
With 'kubectl proxy' the dashboard can ONLY be accessed from the machine where 'kubectl proxy' command is run, i.e. localhost.
Check if the dashboard service it up and running.
kubectl get services --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21h
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 21h
kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.108.205.80 <none> 8000/TCP 45m
kubernetes-dashboard kubernetes-dashboard ClusterIP 10.105.209.136 <none> 443/TCP 45m
Now go to browser from the local machine. Note the url could change over time, check offical website to confirm.
http://192.168.0.13:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
A web page will show up:
Here we need to generate a token to access the dashboard.
Firstly create a Service Account with name admin-user in namespace kubernetes-dashboard first.
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
Save above to e.g. dashboard-adminuser.yaml and run to create a service account
kubectl apply -f dashboard-adminuser.yaml
Secondly bind the new service account to a Cluster Role.
in most cases after installing kubeadm, the ClusterRole cluster-admin already exists in the cluster. We can use it and create only ClusterRoleBinding for our ServiceAccount. If it does not exist then you need to create this role first and grant required privileges manually.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
Save above to e.g. dashboard-rolebinding.yaml and run
kubectl apply -f dashboard-rolebinding.yaml
Finally generate a Bearer Token for logging into the dashboard web page.
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
-n is for namespace
kubectl get secret get the secrets but only the admin-user is grepped
the kubectl describe secret finally prints the token.
It prints something like below:
Name: admin-user-token-mbp8v
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 7299cb52-5f52-4d24-8329-5b8c53915af5
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRQOE9Id2VueFhxTHotYVk2QXBQR1BIMlc0QUFxYURUdHQ0S3FmT2xOUlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLW1icDh2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3Mjk5Y2I1Mi01ZjUyLTRkMjQtODMyOS01YjhjNTM5MTVhZjUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.NZH2YpNoTyAKC8h2d5KihwC5eozvYJwGZmCuurIMoB5prEVgWswX82ygOoIh7ZRh762FAwwQr9jk50af2_ISbson82qXqOmXJHNb9Zy2UIBZa4KiWGaplkmj1XjPDwVRhesjeq4oFwE_rzqdP58gqN_E01bedQ-90JwS3SUmg4YrNpb89DwCEQjP4AmZc73ZxZ0AaChFQRi8l_DbB9h25mWN5fBLC5D3DmOmX-3PRRYs7W1LpoOI4ijFskWZ8R4VfDi6yP54fIBK_9gI65cdCA31Gl3aCbZ2k9vCIdw0rjICHQ1jAKNdV8Kk2yLaGMvB6SOvaWF-Af7HlOMhfGsi3A
ca.crt: 1025 bytes
Simply copy the token and paste it onto the previous login page and continue.
Note again, if accessing the same dashboard url from external ip, it will show up the login page as well, but won't do anything after typing in the token to log in. The http url is unsafe and it doesn't allow access from external.
Login to dashboard from external IP
If the API server is open to external (which it is by default), then we can acess the dashboard through API Server.
The URL is https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Again need to check the official website to confirm the url. the part after /api/ ... is the same as the url provided by kubectl proxy above.
So go to below, note its https and a different port.
https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
It will get the "403 forbidden" message for user system:anonymous.
That's because the latest k8s RBAC role based authentication control assign annonymous users if not certified.
For API server, it uses certificate to authenticate.
Lets generate a certificate from the /etc/kubernetes/admin.conf, which is copied to $HOME/.kube/config
firstly generate certificate data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
secondly generate key data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
finally generate the p12 certificate. it will prompt to enter a password for using the p12.
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
Now copy / pscp the kubecfg.p12 file to the machine where you want to visit the dashboard. also keep the password above safe.
Go to Chrome's "manage certificates" and import the p12 file, it will ask for the password entered previously as well to be able to use the p12.
Close Chrome and open again.
Go the url again, it will prompt to use the p12 certificate and click yes/ok.
https://192.168.0.13:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Then the login page pops up.
Enter the Bearer token generated previously.
you are in!