Friday, November 9, 2018

How to start Dashboard in a test Kubernetes Cluster

Goal:

How to start Dashboard in a test Kubernetes Cluster.
Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources.

Env:

CentOS 7.4
4 Nodes(v1 to v4, and v1 will be the master node for Kubernetes Cluster):

  • xx.xx.xx.41 v1.poc.com v1
  • xx.xx.xx.42 v2.poc.com v2
  • xx.xx.xx.43 v3.poc.com v3
  • xx.xx.xx.44 v4.poc.com v4
Kubernetes v1.12.2
Docker 18.06.1-ce
Dashboard 1.10
[Please follow How to install a Kubernetes Cluster on CentOS 7  to create this test cluster firstly]

Solution:

Refer to below documentation:
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

1. Deploy the Dashboard UI

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2. Start the proxy on master node

Here v1.poc.com is the master node.
kubectl proxy --address="0.0.0.0" -p 8001 --accept-hosts='^*$'
This proxy will listen on port 8001 of master node and will accept connection from ANY hosts.
Note: This is not for production cluster, and it is only for test purpose.

3. Authentication and Authorization for Dashboard(Option A)

Please refer to below documentation on understand authentication and authorization.
Since this is a test cluster, we will grant admin privilege to Dashboard's Service Account so that you can just click "Skip" button when you open the UI to skip "login".

3.1 Fetch the name of the Dashboard's Service Account

$ kubectl get serviceaccount -n kube-system |grep -i dashboard
kubernetes-dashboard                 1         2d21h
Here the name of the Dashboard's Service Account is "kubernetes-dashboard".

3.2 Grant admin privilege

This done by creating a "ClusterRoleBinding" object to grant role named "cluster-admin" to Service Account named "kubernetes-dashboard":
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
EOF

3.3 Confirm the role is granted properly

$ kubectl describe clusterrolebinding kubernetes-dashboard
Name:         kubernetes-dashboard
Labels:       k8s-app=kubernetes-dashboard
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name                  Namespace
  ----            ----                  ---------
  ServiceAccount  kubernetes-dashboard  kube-system
Note: here the "ClusterRoleBinding" object has the same name as "kubernetes-dashboard".

3.4 Open Dashboard UI from client

Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.
http://v1.poc.com:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Click "SKIP" button to skip "login".

Again, above steps are only for test cluster since it gives admin privilege to Dashboard Service Account.

4. Authentication and Authorization for Dashboard(Option B)

If you do not want to grant the admin privilege to the Dashboard's Service Account, you can create a new Service Account with admin privilege as well, and then use its token to login.

4.1 Create a new Service Account named "my-account-for-dashboard"

kubectl create serviceaccount my-account-for-dashboard

4.2 Grant admin privilege

kubectl create clusterrolebinding my-account-for-dashboard-rolebinding --clusterrole=cluster-admin --serviceaccount=default:my-account-for-dashboard

4.3 Get the token of this new Service Account

$ kubectl describe secret my-account-for-dashboard
Name:         my-account-for-dashboard-token-j6rzh
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: my-account-for-dashboard
              kubernetes.io/service-account.uid: a2f918a5-e46d-11e8-a6d7-000c29562394

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      xxx
Here "xxx" in "token:" field is what we need.

4.4 Port forwarding on clien

On the client machine, for example, on your Mac, do port forwarding for the "8001" port on the master node -- v1.poc.com:
ssh -L 8001:localhost:8001 root@v1.poc.com

4.5 Open dashboard UI from client

Open below Dashboard UI from client, for example, your own Mac which has access to the master node -- v1.poc.com.
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Choose "Token" and paste the token fetched from step 4.3 to login.
After login, if you click the profile icon on the top right, you should see : "LOGGED IN WITH TOKEN".

Please refer to access control page for Dashboard for more options.

No comments:

Post a Comment

Popular Posts