Kubernetes Dashboard

From WilliamsNet Wiki
Jump to navigation Jump to search

The kubernetes dashboard is improving, but still doesn't want to install nicely (at least not for a casual/insecure user). They have done a better job of incorporating the RBAC concepts -- but this has, in turn, required me to figure out how to log in properly (see below).

These instructions cover the Kubernetes Dashboard v1.10.1

Prerequisites[edit]

Note that if you are re-installing the dashboard, you need to delete ALL pieces of the dashboard that might still be hanging around from previous installations. The best way to make sure everything is cleaned up properly is to use the manifest from the previous install (or the new install): 

kubectl delete -f kubernetes-dashboard.yaml

... once you download it below or using the one from the previous install. This will remove everything INCLUDING the certificate secret, so that will have to be re-loaded as well.

Installing the Dashboard[edit]

  1. Create the certificates that the dashboard will use, since it insists on using HTTPS. 
    $ openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
    $ openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
    $ rm dashboard.pass.key
    $ openssl req -new -key dashboard.key -out dashboard.csr
    $ openssl x509 -req -sha256 -days 9999 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
  2. Create the secret in Kubernetes that will hold the certificates Note that this must be done BEFORE the dashboard deployment is created -- as it will create and use certificates of its own ... that won't work (from https://github.com/kubernetes/dashboard/wiki/Installation) 
    kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system
    ... replacing '$HOME/certs' with the directory you used to create the certificates in step 1
  3. Now you download the manifest -- you can't just apply it from the web because we need to modify it first 
    wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
    Make 2 changes to the manifest:
    1. In the Service definition at the end of the manifest, add 'type: LoadBalancer' so we can get an IP address for the dashboard instead of having to access it through the kubectl proxy command.
    2. In the 'args' section of the Deployment definition, insert '--token-ttl=0' after '--auto-generate-certificates' so that the dashboard sessions don't time out (see https://github.com/kubernetes/dashboard/wiki/Dashboard-arguments and https://github.com/kubernetes/dashboard/issues/2815)
    • Note that even though we're generating our own certificates, we have to use the 'auto' option -- it just sees that there are certs in the secret and goes on. When I tried to take that option out, it reverted to http (non-ssl) operation -- not necessarily a bad thing, but since we have the certs already loaded, let's use them.
  4. Now create the kubernetes objects: 
    kubectl apply -f kubernetes-dashboard.yaml

At this point, you have the dashboard running and waiting for you to log in. To get the external IP address for the dashboard, use kubectl: 

kubectl get services -n kube-system

Remember that the dashboard is SSL encrypted, so access is like this: 

https://<external IP>

Authenticating to the dashboard is a bit of a trick, but I finally found the 'preferred' way to do it -- buried in the bottom of an issue that someone opened to complain about it: https://github.com/kubernetes/dashboard/issues/2474 

kubectl -n kube-system describe secrets \
   `kubectl -n kube-system get secrets | awk '/clusterrole-aggregation-controller/ {print $1}'` \
   | awk '/token:/ {print $2}'

Run that command in a terminal window, and paste the results in as a 'token' in the dashboard login page -- it's a multi-line hash -- be warned. From the issue text, this should give full cluster admin rights to the dashboard.

if you get an error message instead of a login screen, you're probably using a browser with an existing (now defunct) cookie for a previous installation. Click on the account icon in the upper right corner and sign out ... then you can log in with the new token.

The current tokens for the current clusters are stored in their respective configuration pages:

Retrieved from "http://wiki.williams-net.org/index.php?title=Kubernetes_Dashboard&oldid=31"