Install dashboard

To run the following command to deploy dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.0/aio/deploy/recommended.yaml

once done, to check the resource status under the namespace of kubernetes-dashboard, if all the resources are running, that means dashboard is deployed successfully. ps:

1. On above screenshot, you can see the EXTERNAL-IP for kubernetes-dashboard service, the reason is i edit the service change the type from ClusterIp to LoadBalancer, and the loadbalancer is backed by Metallb.
2. Brower(Chrome) will block the dasboard access though the https://192.168.58.156 since the tls cert is generated by kubernetes during installation, it can not be trusted by CA, this issue will be resolved in later step.

Generate TLS Cert

Suppose you have already a domain name, or buy a domain name from Alicloud, AWS, or godady,etc. Here i will use Alicould for instance, my Domain name is it-meta.space.

Create free TSL cert

the menu naviagation is in below: Aliyun Console » Certificate Management Service » SSL Certificates » Manage Free Certificates

on the Free cert management page, you can create 20 free certs, after raising request, the cert will be ready within minutes.

Download the cert

On the right hand side of the cert generated, you can trigger the cert download after click the ‘Download’ or 3 dot mean. in the package downloaded, there are two files, 1 key file and 1 cert.

Replace TSL cert

Run following command to relace the TSL certs with newly downloaded in above steps.

# check existing secert
kubectl get secret kubernetes-dashboard-certs -n kubernetes-dashboard
# remove the current secert
kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
# create a secert with same name - kubernetes-dashboard-certs
kubectl create secret generic kubernetes-dashboard-certs --from-file=7588655_dashboard.it-meta.space.key --from-file=7588655_dashboard.it-meta.space.pem -n kubernetes-dashboard
# delete the kubernetes pod to force system to auto schedule a new one and applying the new secret.
kubectl delete pod/${kubectl get pod -n kubernetes-dashboard|grep kubernetes-dashboard-|awk '{print $1}'}

Setup Ingress for the dashboard

In order to expose the dashboard endpoint with https protocol, here will leverage the Ingress-nginx to support TLS connection.

Create Secret for ingress

To run following command to do the creation.

kubectl create secret tls k8s-dashboard --key 7588655_dashboard.it-meta.space.key --cert 7588655_dashboard.it-meta.space.pem -n kubernetes-dashboard
kubectl get secret -n kubernetes-dashboard

Captured screenshot for reference.

Create Ingress for dashboard

here is the sample of yaml file - k8s-dashboard-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: k8s-dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: nginx
  rules:
  - host: dashboard.it-meta.space
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 443
  tls:
  - secretName: k8s-dashboard
    hosts:
    - dashboard.it-meta.space

kubectl apply -f k8s-dashboard-ingress.yaml

After the ingress creation, if you want to know the nginx config, you can enter log into the ingress-nginx-controller pod to check the nginx.conf.

Jamies-MacBook-Pro:dashboard jamie$ kubectl get pod -n ingress-nginx
NAME                                               READY   STATUS    RESTARTS      AGE
ingress-ingress-nginx-controller-c8b8497fb-559sg   1/1     Running   1 (13h ago)   24h

Jamies-MacBook-Pro:dashboard jamie$ kubectl exec -it ingress-ingress-nginx-controller-c8b8497fb-559sg -n ingress-nginx -- bash 
bash-5.1$ ls
fastcgi.conf            koi-win                 nginx.conf              template
fastcgi.conf.default    lua                     nginx.conf.default      uwsgi_params
fastcgi_params          mime.types              opentracing.json        uwsgi_params.default
fastcgi_params.default  mime.types.default      owasp-modsecurity-crs   win-utf
geoip                   modsecurity             scgi_params
koi-utf                 modules                 scgi_params.default

bash-5.1$ cat nginx.conf
...
## start server dashboard.it-meta.space
	server {
		server_name dashboard.it-meta.space ;
		
		listen 80  ;
		listen 443  ssl http2 ;
		
		set $proxy_upstream_name "-";
		
		ssl_certificate_by_lua_block {
			certificate.call()
		}
...

Access the dashboard

DNS resolve for local(Optional)

if you are doing the setup on VM/machine which has public access, then you could access the dashboard url directly.

if you are doing it in local with host only network, then you have to take care of the DNS resolve, what need to do is to change the hosts file directly, thus for my case, i’m using vmware fusion on Macbook, i have to change the hosts file to make the FQDN to point to the EXTERNAL-IP of the ingress nginx controller service.

192.168.58.155 dashboard.it-meta.space

Access the dashboard

Until now, the setup is almost done, let’s try the dashboard.

It looks good, now trying to get token and login it.
Using below command to get login token and use it to login the dashboard console.
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep kubernetes-dashboard | awk ‘{print $1}’)

Optional - create a new user with cluster-admin role

Becuase the existing user kubernetes-dashboard has very limited access right to cluster resources, hence suggest to create a new service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-admin
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-admin-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: dashboard-admin
  namespace: kubernetes-dashboard

once done, can use this new user to get token to login dashboard. v1.23 and older version
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin | awk ‘{print $1}’)

v1.24 and later version
kubectl -n kubernetes-dashboard create token dashboard-admin

after login, you can see the resources running on the clusters and do the operation work through this dashboard.

× Jamie's Blog

真诚赞赏，手留余香

2元 5元 10元 50元 100元 任意金额

2元

使用微信扫描二维码完成支付

• ← Previous Post
• Next Post →