Goal:
How to start Dashboard in a test Kubernetes Cluster.Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources.
Env:
CentOS 7.44 Nodes(v1 to v4, and v1 will be the master node for Kubernetes Cluster):
- xx.xx.xx.41 v1.poc.com v1
- xx.xx.xx.42 v2.poc.com v2
- xx.xx.xx.43 v3.poc.com v3
- xx.xx.xx.44 v4.poc.com v4
Docker 18.06.1-ce
Dashboard 1.10
[Please follow How to install a Kubernetes Cluster on CentOS 7 to create this test cluster firstly]
Solution:
Refer to below documentation:https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
1. Deploy the Dashboard UI
1 | kubectl create -f https: //raw .githubusercontent.com /kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard .yaml |
2. Start the proxy on master node
Here v1.poc.com is the master node.1 | kubectl proxy --address= "0.0.0.0" -p 8001 --accept-hosts= '^*$' |
Note: This is not for production cluster, and it is only for test purpose.
3. Authentication and Authorization for Dashboard(Option A)
Please refer to below documentation on understand authentication and authorization.Since this is a test cluster, we will grant admin privilege to Dashboard's Service Account so that you can just click "Skip" button when you open the UI to skip "login".
3.1 Fetch the name of the Dashboard's Service Account
1 2 | $ kubectl get serviceaccount -n kube-system | grep -i dashboard kubernetes-dashboard 1 2d21h |
3.2 Grant admin privilege
This done by creating a "ClusterRoleBinding" object to grant role named "cluster-admin" to Service Account named "kubernetes-dashboard":1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | cat <<EOF | kubectl create -f - apiVersion: rbac.authorization.k8s.io /v1beta1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system EOF |
3.3 Confirm the role is granted properly
1 2 3 4 5 6 7 8 9 10 11 | $ kubectl describe clusterrolebinding kubernetes-dashboard Name: kubernetes-dashboard Labels: k8s-app=kubernetes-dashboard Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount kubernetes-dashboard kube-system |
3.4 Open Dashboard UI from client
Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.1 | http://v1.poc.com:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ |
Again, above steps are only for test cluster since it gives admin privilege to Dashboard Service Account.
4. Authentication and Authorization for Dashboard(Option B)
If you do not want to grant the admin privilege to the Dashboard's Service Account, you can create a new Service Account with admin privilege as well, and then use its token to login.4.1 Create a new Service Account named "my-account-for-dashboard"
1 | kubectl create serviceaccount my-account-for-dashboard |
4.2 Grant admin privilege
1 | kubectl create clusterrolebinding my-account-for-dashboard-rolebinding --clusterrole=cluster-admin --serviceaccount=default:my-account-for-dashboard |
4.3 Get the token of this new Service Account
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | $ kubectl describe secret my-account-for-dashboard Name: my-account-for-dashboard-token-j6rzh Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: my-account-for-dashboard kubernetes.io/service-account.uid: a2f918a5-e46d-11e8-a6d7-000c29562394 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: xxx |
4.4 Port forwarding on clien
On the client machine, for example, on your Mac, do port forwarding for the "8001" port on the master node -- v1.poc.com:1 | ssh -L 8001:localhost:8001 root@v1.poc.com |
4.5 Open dashboard UI from client
Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.1 | http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ |
After login, if you click the profile icon on the top right, you should see : "LOGGED IN WITH TOKEN".
Please refer to access control page for Dashboard for more options.
help me with this error after installed dashbord, dashbord do't started "kubernetes-dashboard-... in the CrashLoopBackOff". claster work normal
ReplyDelete"NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-5c7588df-7hktj 1/1 Running 0 2d2h
default nginx-5c7588df-shg4c 1/1 Running 0 2d2h
kube-system coredns-86c58d9df4-gwqkq 1/1 Running 2 2d4h
kube-system coredns-86c58d9df4-n45rd 1/1 Running 2 2d4h
kube-system etcd-master 1/1 Running 2 2d4h
kube-system kube-apiserver-master 1/1 Running 2 2d4h
kube-system kube-controller-manager-master 1/1 Running 14 2d4h
kube-system kube-flannel-ds-amd64-95tp4 1/1 Running 2 2d4h
kube-system kube-flannel-ds-amd64-b46hp 1/1 Running 0 2d4h
kube-system kube-flannel-ds-amd64-k5m8c 1/1 Running 2 2d4h
kube-system kube-proxy-55n74 1/1 Running 2 2d4h
kube-system kube-proxy-n2n6x 1/1 Running 0 2d4h
kube-system kube-proxy-w2vbd 1/1 Running 2 2d4h
kube-system kube-scheduler-master 1/1 Running 13 2d4h
"