” Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. “
Install and setup MetalLB
For installing the Dashboard we need the installed Metrics server. Additionaly we need a load balancer. In cloud environment we get an external load balancer, but in bare metal environment we have create own LB. We can do it easily with MetalLB.
We will use such an IP address (eg: 192.168.143.190), which is totally independent from the cluster or any service. Our goal is to create a service point, which is independent from the number of running cluster nodes, their’s IP addresses or any internal configuration. So we can create eg. a DNS entry for this IP address.
We can choose any address, which is valid and accessible in our environment.
The MetalLB home page is https://www.metallb.org . Source code on GitHub: https://github.com/metallb/metallb
To deploy the MetalLB, execute following commands:
$ git clone https://github.com/metallb/metallb.git
$ kubectl create ns metallb-system
$ kubectl apply -f metallb/manifests/metallb.yamlWe need to configure MetalLB and we will use a Layer 2 configuration based on example configuration file metallb/manifests/example-layer2-config.yaml
$ vi dashboard-metallb-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: dashboard
protocol: layer2
addresses:
- 192.168.143.190-192.168.143.190Then apply the configuration file:
$ kubectl apply -f dashboard-metallb-config.yamlCheck the install and configuration:
$ kubectl get pod --namespace=metallb-system
NAME READY STATUS RESTARTS AGE
controller-7fb45985f9-7vzdl 1/1 Running 0 3m39s
speaker-6n2zl 1/1 Running 0 3m39s
speaker-rcdqb 1/1 Running 0 3m39s
speaker-v2prn 1/1 Running 0 3m39s
speaker-vbvql 1/1 Running 0 3m39s
speaker-zrmtv 1/1 Running 0 3m39s
$ kubectl describe configmaps -n metallb-system
Name: config
Namespace: metallb-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"config":"address-pools: \n- name: dashboard \n protocol: layer2 \n addresses: \n - 192.168.143.190-192.168....
Data
====
config:
----
address-pools:
- name: dashboard
protocol: layer2
addresses:
- 192.168.143.190-192.168.143.190
Events: <none>
You can change the configmap later if you need:
$ kubectl edit configmap config -n metallb-systemInstalling the Dashboard
You can find here the actual version: https://github.com/kubernetes/dashboard
In the first step, clone it from github:
$ git clone https://github.com/kubernetes/dashboard.gitExtend the kubernetes-dashboard service in the file dashboard/aio/deploy/recommended.yaml with the metadata:annotations:metallb.universe.tf/address-pool: dashboard and spec:type:Loadbalancer settings to assign the dashboard service to the MetalLB’s IP pool.
This ensures the access by same IP, regardless of the pod’s actual node.
Modify “Service” section from:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboardto:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
metallb.universe.tf/address-pool: dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
type: LoadBalancerThen deploy the dashboard.
$ kubectl apply -f dashboard/aio/deploy/recommended.yamlIf the deployment is successful, you will see similar result:
$ kubectl get pod -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-7b8b58dc8b-hrms2 1/1 Running 0 3m5s
kubernetes-dashboard-866f987876-d8zl4 1/1 Running 0 3m5s
$ kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.98.35.96 <none> 8000/TCP 3m52s
kubernetes-dashboard LoadBalancer 10.107.5.185 192.168.143.190 443:31149/TCP 3m53s
Create service account
At this point the dashboard is accessable on url https://192.168.143.190 but you can not log in.
Create a file dashboard-admin-service-account.yaml and insert the following lines:
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
Create service account “dashboard-admin” and grants cluster-admin.
$ kubectl apply -f dashboard-admin-service-account.yamlYou can log in on the web UI with token. You can find the token string in the dashboard-admin secret.
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep dashboard-admin | awk '{print $1}')
Name: dashboard-admin-token-c8m4l
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 7609674d-9811-4717-bcb1-982fbb659c77
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: <Here is a long string. Copy and paste to the UI.>
Note
This is just an example how to set up a Dashboard and access it from outside of the cluster. This is not recommended in a production environment. About securing the dashboard you can read here: https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca