The Kubernetes Dashboard is a general-purpose, web-based UI for Kubernetes clusters. It allows users to manage and troubleshoot applications running in their cluster, as well as manage the cluster itself.
Before you begin
This tutorial assumes that you already have a working OVHcloud Managed Kubernetes cluster and some basic knowledge of how to operate it. If you want to learn more about these topics, please check out the OVHcloud Managed Kubernetes Service Quickstart.
Deploy the Dashboard in your cluster
Depending on the version of Kubernetes you are running, you have to choose the right Dashboard version to deploy to avoid incompatibilities.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
It should display something like this:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc7/aio/deploy/recommended.yaml namespace/kubernetes-dashboard created serviceaccount/kubernetes-dashboard created service/kubernetes-dashboard created secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-csrf created secret/kubernetes-dashboard-key-holder created configmap/kubernetes-dashboard-settings created role.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created service/dashboard-metrics-scraper created deployment.apps/dashboard-metrics-scraper created
Create An Authentication Token (RBAC)
To access the Dashboard, you need to create a new user with the service account mechanism in Kubernetes. Grant this user admin permissions, and then log into the Dashboard using their bearer token. Let’s look at these steps in more detail.
Create Service Account
First, we will create a service account with the name admin-user in the kubernetes-dashboard namespace.
To do this, please copy the following YAML into a dashboard-service-account.yml file:
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard
You should then apply the file to add the service account to your cluster:
kubectl apply -f dashboard-service-account.yml
It should display something like this:
$ kubectl apply -f dashboard-service-account.yml serviceaccount/admin-user created
Create a Role Binding
Using the cluster-admin role for your cluster, we will create a RoleBinding, binding the cluster to your ServiceAccount.
To do this, please copy the following YAML into a dashboard-cluster-role-binding.yml file:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard
You should then apply the file to add the RoleBinding to your cluster:
kubectl apply -f dashboard-cluster-role-binding.yml
It should display something like this:
$ kubectl apply -f dashboard-cluster-role-binding.yml clusterrolebinding.rbac.authorization.k8s.io/admin-user created
Create a Secret Service Account Token
In Kubernetes v1.24.0 Secret API objects containing service account tokens are no longer auto-generated for every Service Account. Because of this, we’ll need to create it ourselves.
To do this, please copy the following YAML into a service-account-token.yml file:
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: admin-user-token
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: admin-user
You should then apply the file to add the Secret to your cluster:
kubectl apply -f service-account-token.yml
It should display something like this:
$ kubectl apply -f dashboard-cluster-role-binding.yml secret/admin-user-token created
Bearer Token
The next step is recovering the bearer token you will use to log into your Dashboard. Execute the following command:
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user-token | awk '{print $1}')
It should display something like this:
$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user-token | awk '{print $1}')
Name: admin-user-token-2kv9s
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: fa0408f5-bb43-4bf3-976c-0e584e284332
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: <very_very_long_token>
ca.crt: 1801 bytes
Copy the token and store it securely, as it’s your key to the Dashboard.
Access the Dashboard
To access the Dashboard from your local workstation, you must create a secure channel to your OVHcloud Managed Kubernetes cluster. You can do this by using kubectl as a proxy from your workstation to the cluster:
kubectl proxy
Your kubectl is opening a connection and acting as a proxy from your workstation to the cluster. Any HTTP request to your local port (8001) will be proxified and sent to the cluster API.
$ kubectl proxy Starting to serve on 127.0.0.1:8001
Next, access the Dashboard at:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
On the login page, select authentication by token and use the bearer token you recovered in the previous step.
You will then be taken directly to your Dashboard:
Delete all kubernetes-dashboard resources
To remove all resources created by your previous kubernetes-dashboard deployment, just execute the following commands:
kubectl delete ns kubernetes-dashboard kubectl delete -f dashboard-cluster-role-binding.yml
Go further
For more information and tutorials, please see our other Managed Kubernetes support guides or explore the guides for other OVHcloud products and services.