The Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage and troubleshoot applications running in their cluster, as well as manage the cluster itself.
Before you begin
This tutorial assumes that you already have a working OVHcloud Managed Kubernetes cluster, and some basic knowledge of how to operate it. If you want to know more on those topics, please look at the OVHcloud Managed Kubernetes Service Quickstart.
This tutorial describes the most basic way of using the Dashboard with your OVHcloud Managed Kubernetes cluster. Please refer to the official docs for a deeper understanding, specifically on subjects like access control, for more in-depth information.
Deploy the Dashboard in your cluster
According to which version of Kubernetes you are running, you have to choose the right Dashboard version to deploy in order to avoid incompatibilities.
For Kubernetes 1.20.2-1, choose version v2.2.0
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
It should display something like this:
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
Create An Authentication Token (RBAC)
In order to access the Dashboard, you need to create a new user with the service account mechanism in Kubernetes. Grant this user admin permissions, then log in to the Dashboard using their bearer token. Let’s look at these steps in more detail.
Create Service Account
First, we will create a service account with the name admin-user
in the kubernetes-dashboard
namespace.
To do this, please copy the following YAML into a dashboard-service-account.yml
file:
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
You should then apply the file to add the service account to your cluster:
# kubectl apply -f dashboard-service-account.yml
It should display something like this:
# kubectl apply -f dashboard-service-account.yml
serviceaccount/admin-user created
Create a RoleBinding
Using the cluster-admin
role for your cluster, we will create a RoleBinding
, binding it to your ServiceAccount
.
To do this, please copy the following YAML into a dashboard-cluster-role-binding.yml
file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
You should then apply the file to add the RoleBinding
to your cluster:
# kubectl apply -f dashboard-cluster-role-binding.yml
It should display something like this:
# kubectl apply -f dashboard-cluster-role-binding.yml
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
Bearer Token
Next step is recovering the bearer token you will use to log in your Dashboard. Execute following command:
# kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user-token | awk '{print $1}')
It should display something like:
# kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user-token | awk '{print $1}')
Name: admin-user-token-2kv9s
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: fa0408f5-bb43-4bf3-976c-0e584e284332
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: <very_very_long_token>
ca.crt: 1801 bytes
Copy the token and store it securely, as it’s your key to the Dashboard.
Access the Dashboard
To access the Dashboard from your local workstation, you must create a secure channel to your OVHcloud Managed Kubernetes cluster. You can do this by using kubectl
as a proxy from your workstation to the cluster:
# kubectl proxy
Your kubectl is opening a connection and acting as a proxy from your workstation to the cluster. Any HTTP request to your local port (8001) will be proxified and sent to the cluster API.
# kubectl proxy
Starting to serve on 127.0.0.1:8001
Next, access the Dashboard at:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
In the log-in page, select authentication by token, and use the bearer token you recovered in the previous step.
You will then be taken directly to your Dashboard:
Delete all kubernetes-dashboard resources
To remove all resources created by your previous kubernetes-dashboard
deployment, just execute the following command line:
# kubectl delete ns kubernetes-dashboard
# kubectl delete -f dashboard-cluster-role-binding.yml