I background knowledge

Kubernetes Dashboard Is the official Web UI of Kubernetes Through the Kubernetes Dashboard, we can easily manage resources and deploy applications From dashboard-1.7 From X, only localhost access is allowed So how can I easily access dashboard locally? This paper introduces several schemes

II install

2.1 installing Dashboard

reference Official documents , execute the following command to quickly install dashboard v2.0.0:

kubectl apply -f "https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml"

The above files may not be downloaded normally in China due to well-known reasons The simple solution is to open on github recommended.yaml , then copy the code and save it locally, and then execute:

kubectl apply -f ./recommended.yaml

The output is similar to:

namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

View status:

$ kubectl get deployment --namespace=kubernetes-dashboard kubernetes-dashboard
# or
$ kubectl describe deployment --namespace=kubernetes-dashboard kubernetes-dashboard

# View service
$ kubectl get service --namespace=kubernetes-dashboard kubernetes-dashboard

# In addition, check the pod status
$ kubectl --namespace=kubernetes-dashboard get pod -o wide | grep dashboard

$ kubectl --namespace=kubernetes-dashboard get pod -o wide | grep dashboard
# output
dashboard-metrics-scraper-6b4884c9d5-czx9f   1/1     Running             1          11h     10.244.0.12   ttg12   <none>           <none>
kubernetes-dashboard-7b544877d5-cd2b7        0/1     ContainerCreating   0          8m28s   <none>        ttg12   <none>           <none>

# If the status is always yes, use describe to view the specific process
$ kubectl describe pod --namespace=kubernetes-dashboard
# output
...
Events:
  Type    Reason     Age        From               Message
  ----    ------     ----       ----               -------
  Normal  Scheduled  <unknown>  default-scheduler  Successfully assigned kubernetes-dashboard/kubernetes-dashboard-7b544877d5-cd2b7 to ttg12
  Normal  Pulling    9m36s      kubelet, ttg12     Pulling image "kubernetesui/dashboard:v2.0.0"

If the image cannot be pulled down all the time, you can use dao to pull it down first:

dao pull kubernetesui/dashboard:v2.0.0

If the pod status is Running, the installation has been successful:

kubectl --namespace=kubernetes-dashboard get pod -o wide | grep dashboard

The output is similar to:

dashboard-metrics-scraper-6b4884c9d5-czx9f   1/1     Running   1          11h   10.244.0.12   ttg12   <none>           <none>
kubernetes-dashboard-7b544877d5-cd2b7        1/1     Running   0          27m   10.244.0.14   ttg12   <none>           <none>

2.2 adding users and tokens

The Dashboard supports Kubeconfig and Token authentication This article is a Demo, so the configuration file Dashboard-admin Yaml grants admin permission to the default Dashboard user For details, please refer to Official documents.

2.2.1 adding users and binding roles

Create a dash admin user Yml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Apply new configuration:

$ kubectl apply -f dash-admin-user.yaml
# output
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created

2.2.2 generate login token

Execute the following command to generate a token for login:

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

The output is similar to:

get secret | grep admin-user | awk '{print $1}')ashboard describe secret $(kubectl -n kubernetes-dashboard g
Name:         admin-user-token-795sl
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: c628f987-abdc-4ef3-a237-ff47ec177a31

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6I.................f8zqqH7Q

The token in the last line is copied and used in the next login

III Access Dashboard

3.1 kubectl is installed locally and can directly access the master IP

If kubectl is installed on the local (working computer) and you can directly access the IP of the master, it is very simple. You can directly start the k8s proxy:

# The foreground is started. Note that the terminal window will be occupied
kubectl proxy

Then visit: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

3.2 kubectl is not installed locally, but the master IP can be accessed directly

If kubectl is not installed locally, but you can directly access the IP address of the master, you can start the k8s proxy on the master (assuming that the hostname is ttg12, of course, it can also be any machine in the cluster with kubectl installed. Here, it is simplified to the master for simplicity, the same below)

kubectl proxy --address='0.0.0.0' --accept-hosts='^\*$' &

At this time, we can access the Dashboard login page, http://ttg12:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ However, if we choose the "token" mode, enter the token recorded above, click "Sign in", count three times silently, and wait to enter the long-awaited main page

Then the fact is, you count 1-2-3 10 times, and the page still doesn't respond

So you want to press F12 to open the browser's debugging window "Networking" It is found that the login succeeded, but the config interface returned the status 401

The reason is that even though the proxy allows Internet access, the From X, only localhost access is allowed Github somebody mentioned issue But the reply said that this is a feature, not a bug. It's only because beginners don't understand too much

Therefore, we need to access localhost There are two methods as follows

3.2.1 method 1: kubectl port forward

Note: this method is suitable for cases with formal ssl certificates If not, use method 2 to access

In an environment where one needs to access the dashboard from another host than the kubectl proxy's localhost, one can run: kubectl port-forward --namespace kubernetes-dashboard service/kubernetes-dashboard 10443:443 --address 0.0.0.0 to access the dashboard through HTTPS

Then visit: https://ttg12:10443.

However, because the test environment does not have a formal ssl certificate, the browser will refuse access Method 2 is required

3.2.2 method 2: ssh port forwarding

On the working computer (you need to be able to ssh to the k8s master), use the following command to forward the port:

$ ssh -L localhost:8001:localhost:8001 -NT faceless@ttg12
faceless@ttg12's password:

After entering the login password of the faceless account of the master machine, the forwarding succeeds

Then access through the following local address:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.

Finally, I saw the Dashboard homepage

3.3 kubectl is not installed locally and the master IP cannot be accessed directly

Generally, the k8s cluster is completely in the intranet, and daily access is conducted through the springboard machine. This is also the normal state of the production environment In this case, we have two options

3.3.1 start Kube proxy on the springboard machine, and then forward it through the local ssh port

First, start Kube proxy on the springboard machine (assuming that the hostname of the springboard machine is ttg11):

kubectl proxy --address='0.0.0.0' --accept-hosts='^\*$' &

Then the local ssh port is forwarded to the springboard machine:

ssh -L localhost:8001:localhost:8001 -NT weiping@ttg11

Then access through the following local address:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.

3.3.2 local direct forwarding to the k8s master through the ssh port of the springboard machine

First, start Kube proxy on the k8s master (or other machines on the intranet) (assuming that the hostname of the k8s master is ttg12):

kubectl proxy --address='0.0.0.0' --accept-hosts='^\*$' &

Then, the local port is SSH forwarded to the k8s master through the springboard machine (assuming that the hostname of the springboard machine is ttg11):

# The format is: SSH -l localhost:< local port >: <k8s master IP or domain name >: <k8s master port > -nt < springboard login account > @ < springboard IP or domain name >
ssh -L localhost:8001:ttg12:8001 -NT weiping@ttg11

Then access through the following local address:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.

IV reference

• https://kuboard.cn/install/install-k8s-dashboard.html# install
• Kubernetes Dashboard Documentation