Goal:
How to start Dashboard in a test Kubernetes Cluster.Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources.
Env:
CentOS 7.44 Nodes(v1 to v4, and v1 will be the master node for Kubernetes Cluster):
- xx.xx.xx.41 v1.poc.com v1
- xx.xx.xx.42 v2.poc.com v2
- xx.xx.xx.43 v3.poc.com v3
- xx.xx.xx.44 v4.poc.com v4
Docker 18.06.1-ce
Dashboard 1.10
[Please follow How to install a Kubernetes Cluster on CentOS 7 to create this test cluster firstly]
Solution:
Refer to below documentation:https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
1. Deploy the Dashboard UI
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
2. Start the proxy on master node
Here v1.poc.com is the master node.kubectl proxy --address="0.0.0.0" -p 8001 --accept-hosts='^*$'This proxy will listen on port 8001 of master node and will accept connection from ANY hosts.
Note: This is not for production cluster, and it is only for test purpose.
3. Authentication and Authorization for Dashboard(Option A)
Please refer to below documentation on understand authentication and authorization.Since this is a test cluster, we will grant admin privilege to Dashboard's Service Account so that you can just click "Skip" button when you open the UI to skip "login".
3.1 Fetch the name of the Dashboard's Service Account
$ kubectl get serviceaccount -n kube-system |grep -i dashboard kubernetes-dashboard 1 2d21hHere the name of the Dashboard's Service Account is "kubernetes-dashboard".
3.2 Grant admin privilege
This done by creating a "ClusterRoleBinding" object to grant role named "cluster-admin" to Service Account named "kubernetes-dashboard":cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
3.3 Confirm the role is granted properly
$ kubectl describe clusterrolebinding kubernetes-dashboard Name: kubernetes-dashboard Labels: k8s-app=kubernetes-dashboard Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount kubernetes-dashboard kube-systemNote: here the "ClusterRoleBinding" object has the same name as "kubernetes-dashboard".
3.4 Open Dashboard UI from client
Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.http://v1.poc.com:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Again, above steps are only for test cluster since it gives admin privilege to Dashboard Service Account.
4. Authentication and Authorization for Dashboard(Option B)
If you do not want to grant the admin privilege to the Dashboard's Service Account, you can create a new Service Account with admin privilege as well, and then use its token to login.4.1 Create a new Service Account named "my-account-for-dashboard"
kubectl create serviceaccount my-account-for-dashboard
4.2 Grant admin privilege
kubectl create clusterrolebinding my-account-for-dashboard-rolebinding --clusterrole=cluster-admin --serviceaccount=default:my-account-for-dashboard
4.3 Get the token of this new Service Account
$ kubectl describe secret my-account-for-dashboard
Name: my-account-for-dashboard-token-j6rzh
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: my-account-for-dashboard
kubernetes.io/service-account.uid: a2f918a5-e46d-11e8-a6d7-000c29562394
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: xxx
Here "xxx" in "token:" field is what we need.4.4 Port forwarding on clien
On the client machine, for example, on your Mac, do port forwarding for the "8001" port on the master node -- v1.poc.com:ssh -L 8001:localhost:8001 root@v1.poc.com
4.5 Open dashboard UI from client
Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/Choose "Token" and paste the token fetched from step 4.3 to login.
After login, if you click the profile icon on the top right, you should see : "LOGGED IN WITH TOKEN".
Please refer to access control page for Dashboard for more options.
help me with this error after installed dashbord, dashbord do't started "kubernetes-dashboard-... in the CrashLoopBackOff". claster work normal
ReplyDelete"NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-5c7588df-7hktj 1/1 Running 0 2d2h
default nginx-5c7588df-shg4c 1/1 Running 0 2d2h
kube-system coredns-86c58d9df4-gwqkq 1/1 Running 2 2d4h
kube-system coredns-86c58d9df4-n45rd 1/1 Running 2 2d4h
kube-system etcd-master 1/1 Running 2 2d4h
kube-system kube-apiserver-master 1/1 Running 2 2d4h
kube-system kube-controller-manager-master 1/1 Running 14 2d4h
kube-system kube-flannel-ds-amd64-95tp4 1/1 Running 2 2d4h
kube-system kube-flannel-ds-amd64-b46hp 1/1 Running 0 2d4h
kube-system kube-flannel-ds-amd64-k5m8c 1/1 Running 2 2d4h
kube-system kube-proxy-55n74 1/1 Running 2 2d4h
kube-system kube-proxy-n2n6x 1/1 Running 0 2d4h
kube-system kube-proxy-w2vbd 1/1 Running 2 2d4h
kube-system kube-scheduler-master 1/1 Running 13 2d4h
"