Skip to main content

Dashboard

What do we know about the k8s Dashboard?

  • expose externally if needed only
  • can also use kubectl port-forward

kubectl proxy#

  • creates proxy server between localhost and k8s api server
  • uses kubeconfig
  • allow access to api locally over http no auth

http://localhost:8001/ --> kubectl proxy --> kubectl (https) --> k8s api

kubectl port-forward#

  • forwards localhost-port to pod-port

tcp://localhost:1234 --> kubectl port-foward --> kubectl --> api server --> pod:port (e.g. dashboard on 10.1.2.3:443)

so now localpost port 1234 is fowarded to dashboard on 10.1.2.3 port 443.

Ingress#

can use it to expose dashboard to the internet if you want, but PLEASE USE SOME AUTH! e.g. can use nginx-ingress, but implement auth on it.

Install k8s dashboard#

install: kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml

[email protected]:~# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yamlnamespace/kubernetes-dashboard createdserviceaccount/kubernetes-dashboard createdservice/kubernetes-dashboard createdsecret/kubernetes-dashboard-certs createdsecret/kubernetes-dashboard-csrf createdsecret/kubernetes-dashboard-key-holder createdconfigmap/kubernetes-dashboard-settings createdrole.rbac.authorization.k8s.io/kubernetes-dashboard createdclusterrole.rbac.authorization.k8s.io/kubernetes-dashboard createdrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard createdclusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard createddeployment.apps/kubernetes-dashboard createdservice/dashboard-metrics-scraper createddeployment.apps/dashboard-metrics-scraper created[email protected]:~# k get nsNAME                   STATUS   AGEcassandra              Active   48mdefault                Active   14dkube-node-lease        Active   14dkube-public            Active   14dkube-system            Active   14dkubernetes-dashboard   Active   26s[email protected]:~# k -n kubernetes-dashboard get pod,svcNAME                                             READY   STATUS    RESTARTS   AGEpod/dashboard-metrics-scraper-856586f554-x2m9b   1/1     Running   0          52spod/kubernetes-dashboard-67484c44f6-zbhmn        1/1     Running   0          52s
NAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGEservice/dashboard-metrics-scraper   ClusterIP   10.98.132.195   <none>        8000/TCP   52sservice/kubernetes-dashboard        ClusterIP   10.105.25.220   <none>        443/TCP    52s

External Access#

bad example - available externally over HTTP

[email protected]:~# k -n kubernetes-dashboard edit deploy kubernetes-dashboard

add in our insecure-port arg

  template:    metadata:      creationTimestamp: null      labels:        k8s-app: kubernetes-dashboard    spec:      containers:      - args:        - --auto-generate-certificates        - --namespace=kubernetes-dashboard        image: kubernetesui/dashboard:v2.3.1        imagePullPolicy: Always        livenessProbe:          failureThreshold: 3          httpGet:            path: /            port: 8443            scheme: HTTPS

to

  template:    metadata:      creationTimestamp: null      labels:        k8s-app: kubernetes-dashboard    spec:      containers:      - args:        - --namespace=kubernetes-dashboard        - --insecure-port=9090        image: kubernetesui/dashboard:v2.3.1        imagePullPolicy: Always        livenessProbe:          failureThreshold: 3          httpGet:            path: /            port: 9090            scheme: HTTP

change service to NodePort

from

spec:  clusterIP: 10.105.25.220  clusterIPs:  - 10.105.25.220  ipFamilies:  - IPv4  ipFamilyPolicy: SingleStack  ports:  - port: 443    protocol: TCP    targetPort: 8443  selector:    k8s-app: kubernetes-dashboard  sessionAffinity: None  type: ClusterIP

to

spec:  clusterIP: 10.105.25.220  clusterIPs:  - 10.105.25.220  ipFamilies:  - IPv4  ipFamilyPolicy: SingleStack  ports:  - port: 9090    protocol: TCP    targetPort: 9090  selector:    k8s-app: kubernetes-dashboard  sessionAffinity: None  type: ClusterIP

find external IP for the compute instance

gcloud compute instances list NAME        ZONE                    MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUScks-master  australia-southeast1-a  e2-medium                  10.152.0.2   35.189.40.8    RUNNINGcks-worker  australia-southeast1-a  e2-medium                  10.152.0.4   35.244.67.113  RUNNING

now in your local browser - open http://35.244.67.113:30478 and you can see the dashboard.

Access and Service Accounts#

look at the default service account (sa)

[email protected]:~# k -n kubernetes-dashboard get saNAME                   SECRETS   AGEdefault                1         16mkubernetes-dashboard   1         16m[email protected]:~# k get clusterroles | grep viewsystem:aggregate-to-view                                               2021-08-08T22:33:40Zsystem:public-info-viewer                                              2021-08-08T22:33:40Zview                                                                   2021-08-08T22:33:40Z

create a rolebinding insecure:

[email protected]:~# k -n kubernetes-dashboard create rolebinding insecure --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view -oyaml --dry-run=clientapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  creationTimestamp: null  name: insecure  namespace: kubernetes-dashboardroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: viewsubjects:- kind: ServiceAccount  name: kubernetes-dashboard  namespace: kubernetes-dashboard
[email protected]:~# k -n kubernetes-dashboard create rolebinding insecure --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view rolebinding.rbac.authorization.k8s.io/insecure created

only allows access to cluster-role view in the kubernetes-dashboard namespace... nothing else.

if we change rolebinding to clusterrolebinding -- now we have view across the WHOLE CLUSTER

[email protected]:~# k -n kubernetes-dashboard create clusterrolebinding insecure --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view clusterrolebinding.rbac.authorization.k8s.io/insecure created

browsing the external dashboard url from above, can now see ALL namespaces.