4.4 Kubernetes Dashboard

When the kubeadm-setup.sh script or kubeadm-ha-setup utility is used to install master nodes in the Kubernetes cluster, the Kubernetes Dashboard container is created as part of the kube-system namespace. This provides an intuitive graphical user interface to Kubernetes that can be accessed using a standard web browser.

The Kubernetes Dashboard is described in the Kubernetes documentation at https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/.

To access the Dashboard, you can run a proxy service that allows traffic on the node where it is running to reach the internal pod where the Dashboard application is running. This is achieved by running the kubectl proxy service:

$ kubectl proxy
Starting to serve on 127.0.0.1:8001

The Dashboard is available on the node where the proxy is running for as long as the proxy runs. To exit the proxy, use Ctrl+C. You can run this as a systemd service and enable it so that it is always available after subsequent reboots:

# systemctl start kubectl-proxy
# systemctl enable kubectl-proxy

This systemd service requires that the /etc/kubernetes/admin.conf is present to run. If you want to change the port that is used for the proxy service, or you want to add other proxy configuration parameters, you can configure this by editing the systemd drop-in file at /etc/systemd/system/kubectl-proxy.service.d/10-kubectl-proxy.conf. You can get more information about the configuration options available for the kubectl proxy service by running:

$ kubectl proxy ‐‐help

To access the Dashboard, open a web browser on the node where the proxy is running and navigate to http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login.

To login, you must authenticate using a token. See https://github.com/kubernetes/dashboard/wiki/Access-control for more information. If you have not set up specific tokens for this purpose, you can use a token allocated to a service account, such as the namespace-controller. Run the following command to obtain the token value for the namespace-controller:

$ kubectl -n kube-system describe $(kubectl -n kube-system \
   get secret -n kube-system -o name | grep namespace) | grep token:
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2Nvd\
            W50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSI\
            sImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJuYW1lc3BhY2UtY29ud\
            HJvbGxlci10b2tlbi1zeHB3ayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1h\
            Y2NvdW50Lm5hbWUiOiJuYW1lc3BhY2UtY29udHJvbGxlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFj\
            Y291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjM4OTk1MWIyLWJlNDYtMTFlNy04ZGY2LTA4MDAyNzY\
            wOTVkNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpuYW1lc3BhY2UtY2\
            9udHJvbGxlciJ9.aL-9sRGic_b7XW2eOsDfxn9QCCobBSU41J1hMbT5D-Z86iahl1mQnV60zEKOg-45\
            5pLO4aW_RSETxxCp8zwaNkbwoUF1rbi17FMR_zfhj9sfNKzHYO1tjYf0lN452k7_oCkJ7HR2mzCHmw-\
            AygILeO0NlIgjxH_2423Dfe8In9_nRLB_PzKvlEV5Lpmzg4IowEFhawRGib3R1o74mgIb3SPeMLEAAA

Copy and paste the entire value of the token into the token field on the login page to authenticate.

If you need to access the Dashboard remotely, Oracle recommends using SSH tunneling to do port forwarding from your localhost to the proxy node, as described in the following sections.

SSH Tunneling

The easiest option is to use SSH tunneling to forward a port on your local system to the port configured for the proxy service running on the node that you wish to access. This method retains some security as the HTTP connection is encrypted by virtue of the SSH tunnel and authentication is handled by your SSH configuration. For example, on your local system run:

$ ssh -L 8001:127.0.0.1:8001 192.0.2.10

Substitute 192.0.2.10 with the IP address of the host where you are running kubectl proxy. Once the SSH connection is established, you can open a browser on your localhost and navigate to http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login to access the Dashboard hosted in the remote Kubernetes cluster. Use the same token information to authenticate as if you were connecting to the Dashboard locally.