What is the correct way to access the K8S dashboard?

Question

Question

It is not clear how to access the dashboard with HTTPS and cannot find a clear documentation (it just tells to use kubectl proxy). So what is the way to access the dashboard with HTTPS?

Kubernetes Dashboard GitHub tells:

The shortcut http://localhost:8001/ui is deprecated. Use the full proxy URL shown above.

K8S Dashboard Recommended Setup or K8S Dashboard FAQ do not tell how to access the dashboard without proxy.

I'm accessing Dashboard over HTTPS

The reason why /ui redirect does not work for HTTPS is that it hasn't yet been updated in the core repository. You can track https://github.com/kubernetes/kubernetes/pull/53046#discussion_r145338754 to find out when it will be merged. Probably it won't be available until K8S 1.8.3+.

Correct links that can be used to access Dashboard are in our documentation. Check Accessing Dashboard to find out more.

However, the kubernetes-dashboard.yaml manifest defines the service endpoint to the dashboard as below:

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

And the cluster IP (in my environment) assigned is below.

# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   ClusterIP   10.101.199.14   <none>        443/TCP         4h

Simply create a SSH tunnel to the 10.101.199.14:443 and access to it (https://localhost:8001) shows the dashboard.

So, basically, there is no need to use kubectl proxy and directly access the clusterIP:443 is the way to access the dashboard with HTTPS?

Kindly suggest where is the up-to-date and accurate documentation on how to use the K8S dashboard.

Environment

# kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T21:07:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T20:55:30Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

score 2 · Accepted Answer · answered Dec 29 '17 at 09:45

2

As far as I know, You would not want to expose your k8s dashboard to external world Since It's a graphical way to get access to your k8s cluster that's why the service type of k8s-dashboard is clusterIP instead of LoadBalancer or NodePort( Minikube uses it).

Now If you want to access the dashboard without exposing it to the external world.There are 2 ways which you have described in the question.

Kubectl proxy (It create HTTP proxy to kube-api Server)
Kubectl port-forward (it create TCP proxy to k8s-dashboard pod)

answered Dec 29 '17 at 09:45

Suresh Vishnoi

17,341
8
47
55

Thanks for the update. The access is only possible from the intra-net to which VPN access is mandatory, so not exposed to external world, however we must use HTTPS. – mon Dec 29 '17 at 11:04
If you can use internal LoadBalancer then you just need to use `type=LoadBalancer` in the k8s-dashboard service file. It might solve the issue. – Suresh Vishnoi Dec 29 '17 at 11:06
Thanks Suresh. As I do not have time to test your suggestions, forgive me not accepting it as the answer for now. Will test when I get time. – mon Dec 29 '17 at 22:45
Thanks Suresh, after having fixed the AWS issue https://stackoverflow.com/questions/48039953/, I could use the LoadBalancer to expose the service. – mon Jan 03 '18 at 11:38

score 2 · Answer 2 · answered Dec 29 '17 at 22:48

2

As no time to test the suggestion by Suresh, used below for now.

Get the kubernetes-dashboard service account token (given cluster-admin role).

$ kubectl get secret -n kube-system | grep kubernetes-dashboard
kubernetes-dashboard-token-42b78                 kubernetes.io/service-account-token   3         1h

$ kubectl describe secret kubernetes-dashboard-token-42b78 -n kube-system
Name:         kubernetes-dashboard-token-42b78
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=kubernetes-dashboard
              kubernetes.io/service-account.uid=36347792-ecdf-11e7-9ca8-06bb783bb15c

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:    <TOKEN>

Start SSH tunnel.

ssh -L localhost:8001:172.31.4.117:6443 centos@<K8SServer>

Use Chrome ModHeader extension to send the Bearer token.

Access the API server endpoint via SSH tunnel (local port 8001).

https://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

answered Dec 29 '17 at 22:48

mon

18,789
22
112
205

Followed your instructions, got an `status-code 403 (forbidden)` - response... – Markus Feb 02 '20 at 00:29
@Markus the same case. – Karim Manaouil Feb 10 '20 at 10:10
@KarimManaouil: In my case the container-creation for the web-dashboard gut stuck because the _coredns_-container also got stuck during creation. After solving the issue I could access the dashboard. I wrote the solution down [here](https://stackoverflow.com/questions/60049036/kubernetes-container-creation-gets-stuck-at-container-creation-containercreati). – Markus Feb 10 '20 at 13:32
@Markus Thanks for the link. In my case the dashboard and coredns are running. Actually all containers are running fine (I used Kubespray to setup the cluster). I made sure the clusterrolebinding is correct and it is. For me I get 404 error, resource not found !! – Karim Manaouil Feb 10 '20 at 13:43
@KarimManaouil: Have you tried changing _kube-system_ to _kubernetes-dashboard_ in the url? My Dashboard was running under different namespace – Markus Feb 10 '20 at 15:01
Thanks for the suggestion @Markus. I have just confirmed and it is running in kube-system. I think it's smthng related to IAM (Identity and Access Management) but I have no idea how to resolve this. – Karim Manaouil Feb 10 '20 at 15:10

score 0 · Answer 3 · answered Feb 18 '20 at 09:57

For those stuck with a status-code 403 and coredns- containers stuck during creation, try installing a pod network add-on for your cluster:

Calico for example:

kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/calico.yaml

source: https://kubernetes.io/fr/docs/setup/independent/create-cluster-kubeadm/

What is the correct way to access the K8S dashboard?

Question

Environment

3 Answers3