5 Accessing the Kubernetes Dashboard

The Kubernetes Dashboard container is created as part of the kubernetes-dashboard namespace. You can also start the Dashboard using the kubectl-proxy service. The Dashboard provides an intuitive graphical user interface to a Kubernetes cluster that can be accessed using a standard web browser.

The Kubernetes Dashboard is described in the upstream Kubernetes documentation.

This chapter shows you how to start and connect to the Kubernetes Dashboard.

Starting the Dashboard

To start the Dashboard, run a proxy service that allows traffic on the node where it's running to reach the internal pod where the Dashboard application is running. This is achieved by running the kubectl proxy service:

kubectl proxy

The output looks similar to:

Starting to serve on

The Dashboard is available on the node where the proxy is running. To exit the proxy, use Ctrl+C. When you exit the proxy, it ends the application, and the Dashboard is no longer available.

You can run this as a systemd service and enable it so that it's always available after OS reboots:

sudo systemctl enable --now kubectl-proxy.service

This systemd service requires that the /etc/kubernetes/admin.conf is present to run. To change the port that's used for the proxy service, or you want to add other proxy configuration parameters, you can configure this by editing the systemd drop-in file at /etc/systemd/system/kubectl-proxy.service.d/10-kubectl-proxy.conf. You can get more information about the configuration options available for the kubectl proxy service by running:

kubectl proxy --help

Connecting to the Dashboard

To access the Dashboard, open a web browser on the node where the kubectl proxy service is running and navigate to:


To log in, you must authenticate using a token. For more information on authentication tokens, see the upstream Kubernetes documentation.

Set up a token for the admin-user using:

kubectl --namespace kubernetes-dashboard create token admin-user

Copy and paste the entire value of the token output into the token field on the log in page to authenticate.

Connecting to the Dashboard Remotely

If you need to access the Dashboard remotely, you can use SSH tunneling to do port forwarding from the localhost to the node running the kubectl proxy service. The easiest option is to use SSH tunneling to forward a port on the local system to the port configured for the kubectl proxy service on the node that you want to access. This method retains some security as the HTTP connection is encrypted by virtue of the SSH tunnel and authentication is handled by the SSH configuration. For example, on the local system run:

ssh -L 8001:

Substitute with the IP address of the host where the kubectl proxy service is running. When the SSH connection is established, you can open a browser on the localhost and navigate to:


The Dashboard log in screen is displayed for the remote Kubernetes cluster. Use the same token information to authenticate as if you were connecting to the Dashboard locally.

Connecting to the Dashboard Container

You don't need to start the Dashboard using the kubectl-proxy service as it's already running as a container when you install the Kubernetes module. This is another method to access the Dashboard. To verify the container is running, enter:

kubectl get pods --namespace kubernetes-dashboard

The output looks similar to:

NAME                                    READY   STATUS    RESTARTS   AGE
kubernetes-dashboard-785945dc77-c8l72   1/1     Running   0          19m

A Kubernetes Dashboard service is also deployed. You can show that service using:

kubectl get svc --namespace kubernetes-dashboard

The output looks similar to:

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
kubernetes-dashboard   ClusterIP   <none>        443/TCP   20m

To access this service, assign an external IP address to the ClusterIP, or patch the service to assign an IP address using a NodePort. When you have assigned an external IP address, you can connect to the service using a web browser that has access to that network.