Install Kubernetes Dashboard

Dashboard is a web-based Kubernetes user interface.

Pre-requisites

We are using our Kubernetes homelab to deploy the dashboard.

Install Kubernetes Dashboard

To deploy the dashboard, run the following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml

Accessing the Dashboard UI

Dashboard deploys with a minimal RBAC configuration by default. The dashboard service account created here will have administrative privileges and is for homelab purposes only.

Create a dashboard service account in the default namespace:

$ kubectl -n default create serviceaccount dashboard

Create a dashboard-admin cluster role binding. This binds the dashboard service account to the cluster-admin role to have super-user access to perform any action on any resource.

$ kubectl -n default create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=default:dashboard

A role can only be used to grant access to resources within a single namespace. A cluster role can be used to grant the same permissions as a role, but because they are cluster-scoped, they are not tied to a namespace.

Create a cluster role binding that adds the system:anonymous user to the cluster-admin role. This setup is useful when unauthenticated access to the Kubernetes API is desired and is acceptable for a homelab environment, but is not recommended on a production cluster. Do not elevate accounts to cluster-admin unless you know what you are doing.

$ kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous

Get a dashboard token:

$ kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}"|base64 -d;echo

We can access the dashboard using the following command:

$ kubectl proxy

Kubectl will make dashboard available at:

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

The problem with this approach is that the UI can only be accessed from the machine where the command is executed. While it’s not necessary, I’ve created a load balancer in order to access the dashboard on a FQDN using kube-apiserver port:

https://dashboard.apps.hl.test:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

10 thoughts on “Install Kubernetes Dashboard

  1. Thank You
    It’ s fine for me with this approach is that the UI can only be accessed from the machine where the command is executed
    ie:
    $ ssh -L localhost:1234:localhost:8001 ansible@srv31
    $ http:// localhost:1234/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

    But after i don’t know how to:
    configure your load balancer in order to access the dashboard on a FQDN using kube-apiserver port.

    * Is this a CNAME the value of ? dashboard.apps.hl.test = {{ k8s_ha_dns }}

    • Hi, yes, for that to work you have to create a load balancer, e.g HAProxy, Nginx or Istio. In my case dashboard.apps.hl.test is an A record to the IP address of the load balancer.

  2. Hello,

    This tutorial is one the best I have found so far, easy to follow and almost complete. I have to do a little bit of research to get 3 masters, 3 nodes and 1 haproxy. everything works great except. the dashboar.

    I am trying to access from my local machine this way “https://haproxy.thelocaldiveshop.com:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/”

    and I ge the response below. because the user is incorrect and fail authentication

    kind “Status”
    apiVersion “v1”
    metadata {}
    status “Failure”
    message “services \”https:kubernetes-dashboard:\” is forbidden: User \”system:anonymous\” cannot get resource \”services/proxy\” in API group \”\” in the namespace \”kubernetes-dashboard\””
    reason “Forbidden”
    details
    name “https:kubernetes-dashboard:”
    kind “services”
    code 403

    • Hi Ivan, add the following rules to the ClusterRole that you are using:

        - verbs:
            - "get"
            - "create"
            - "delete"
          apiGroups:
            - ''
          resources:
            - services/proxy
      
    • It would be the YAML file that you used to define your ClusterRole. Did you follow instructions provided in the article, or did you create your own role?

  3. I ran the following kubectl edit clusterrole system:node -o yaml and added the changes. still the response. I think need to install httpd and run a proxy in the haproxy server

Leave a Reply

Your email address will not be published. Required fields are marked *