Install Kubernetes Dashboard

Lars J├Ânsson 2020-11-13

Instructions of how to install the Dashboard on a running Kubernetes cluster. It is based on the recommended setup in the Kubernetes Dashboard README file.

Preparations

Certificates

Create private key and certificate that can be used when accessing the Dashboard. It is assumed that they are available at $HOME/certs and named dashboard.key resp. dashboard.crt.

More information about how to create the certificate is described here.

YAML definition

For Dashboard to pickup the certificates, you must pass arguments --tls-cert-file=/dashboard.crt and --tls-key-file=/dashboard.key to the container. First download the file.

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml

Under Deployment section, add arguments to pod definition, it should look as follows:

  args:
    - --tls-cert-file=/dashboard.crt
    - --tls-key-file=/dashboard.key
    - --auto-generate-certificates

--auto-generate-certificates can be left in place, and will be used as a fallback.

Installation

Create the namespace for the Dashboard and install the secret (key and certificate):

kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kubernetes-dashboard

Install the Dashboard:

kubectl apply -f recommended.yaml 

The Dashboard is available as a NodePort. This way of accessing Dashboard is only recommended for development environments in a single node setup.

Edit kubernetes-dashboard service:

kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.

  sessionAffinity: None
  type: NodePort

Next we need to check port on which Dashboard was exposed.

kubectl -n kubernetes-dashboard get service kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.103.10.241   <none>        443:31262/TCP   4m3s

Dashboard has been exposed on port 31262 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31262. master-ip can be found by executing kubectl cluster-info.

Dashboard user

An admin user is needed when accessing the Dashboard. It is created using the Service Account mechanism of Kubernetes and granting this user admin permissions. A bearer token tied to the user is used for login to the Dashboard.

IMPORTANT: Make sure that you know what you are doing before proceeding. Granting admin privileges to Dashboard's Service Account might be a security risk.

Creating the user

Create a dashboard-adminuser.yaml file with the following content:

# Admin user for the Dashboard

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Create the admin user:

kubectl apply -f dashboard-adminuser.yaml

Getting the bearer token

Get the bearer token for the admin user:

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

It should print something like:

Name:         admin-user-token-gkspb
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: 594f36d4-4ad4-42fb-9cdf-639cd9e70030

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjFUOVNuTFJLVVJMNElVdmx6bU1VeXJNVE4tRm9GVDFBNj

The token can be copied and pasted into Enter token field on the login screen.