0

I got a cluster running on a Ubuntu server. I provide the web content on the server running in the cluster via port 80/443. The server itself I am accessing via ssh only, so no graphical interface at all.

Now I want to access the kubernetes web ui for that cluster. During research I found sources who say that accessing the web ui per remote access is not recommended for prod environments. The guides are only about using kubectl proxy to expose the dashboard to localhost.

Is there a solution or a more or less common way to access the dashboard of a cluster running on a server?

Steephen
  • 14,645
  • 7
  • 40
  • 47
elp
  • 840
  • 3
  • 12
  • 36
  • The dashboard is written in a way that it refuses to talk to you over unsercured connection, unless it's a localhost. This means, you need to set up your certificates correctly in order to use it. Once you've done that it will work. Setting up the certs for dashboard is not different than setting up certs for any other web application. – Andrew Savinykh Jan 07 '19 at 23:57

5 Answers5

1
...
spec:
  clusterIP: 10.104.126.244
  externalIPs:
  - 192.168.64.1
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 31180
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: LoadBalancer
status:

The above kubernetes-dashboard-service will work, by going to https://192.168.64.1:31180 , where 192.168.64.1 is the IP address of your Kubernetes Controller, however there are caveats.

You'll need to use an old browser to access it and accept the security exception.

then run

kubectl -n kube-system get secret

And look for your replicaset-controller-token-kzpmc

Then run

$ kubectl -n kube-system describe secrets replicaset-controller-token-kzpmc

And copy the long token at the bottom.

Name:       replicaset-controller-token-kzpmc
Namespace:  kube-system
Labels:     <none>
Annotations:    kubernetes.io/service-account.name=replicaset-controller
        kubernetes.io/service-account.uid=d0d93741-96c5-11e7-8245-901b0e532516

Type:   kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3
Ft00msh
  • 101
  • 2
  • 8
0

If you want to access to your dashboard through external ip address you can edit your Dashboard service and change type to LoadBalancer if you have External LB Provider such as GCP or AWS. To do that Edit kubernetes-dashboard service.

# kubectl -n kube-system edit service kubernetes-dashboard

You should see yaml representation of the service. Change type: ClusterIP to type: LoadBalancer and save file. If it's already changed go to next step.

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
...
  name: kubernetes-dashboard
  namespace: kube-system
  resourceVersion: "343478"
  selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard-head
  uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
  clusterIP: 10.100.124.90
  externalTrafficPolicy: Cluster
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP # <-- Change to LoadBalancer
status:
  loadBalancer: {}

Then run below command to see external ip address of Kubernetes Dashboard service

# kubectl -n kube-system get service kubernetes-dashboard
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)         AGE
kubernetes-dashboard   LoadBalancer   10.23.252.164   <external-ip>   443:31720/TCP   26d

Then browse https://<external-ip> to see Web UI

Also you can expose your service as NodePort to access WEB UI through your subnet

clxoid
  • 2,577
  • 12
  • 21
  • Is there more to the URL than just `https://IPADDRESS`? I'm still not able to hit the dashboard after this approach. – TJ Zimmerman Mar 11 '19 at 01:15
0

2 things; 1. to access directly using the browser (local machine), k8s cluster must be in the same network domain. 2. if you are not on item#1, access it using windows RDP and use the browser.

donubas
  • 51
  • 4
0

Assuming the K8s dashboard is already deployed on your cluster, forward all requests from your Amazon EC2 instance localhost port to the Kubernetes Dashboard port by running the following command:

kubectl port-forward svc/kubernetes-dashboard -n kubernetes-dashboard 6443:443

And then, To access the port from your local machine with an SSH tunnel, run the following command:

ssh -i <EC2KeyPair.pem> ec2-user@<IP> -L 6443:127.0.0.1:6443

Give your PEM file name and IP if you are accessing from AWS EC2. For example, ssh -i "demo.pem" ec2-user@ec2-34-207-214-53.compute-1.amazonaws.com -L 6443:127.0.0.1:6443

After this, exit from your EC2 instance and run:

ssh -i "demo.pem" ec2-user@ec2-34-207-214-53.compute-1.amazonaws.com -L 6443:127.0.0.1:6443

And now can open https://127.0.0.1:6443 in your browser window to access k8s dashboard

enter image description here For detailed information, please refer https://aws.amazon.com/premiumsupport/knowledge-center/eks-cluster-kubernetes-dashboard/

Steffi Keran Rani J
  • 3,667
  • 4
  • 34
  • 56
-2

kubectl proxy works pretty well. Otherwise, you can also change the kubernetes-dashboard into a loadbalancer/nodeport and access the cluster through that.

If you're using a loadbalancer and you're with a cloud provider like AWS or Azure, you can probably set up security groups to allow access at some specific ip ranges.

But tbh, I'll say kubectl proxy is good enough most of the time.

Ho Man
  • 2,308
  • 11
  • 16
  • Oh okay, but how to access the dashboard which is exposed to localhost on the server from my home machine? – elp Jan 07 '19 at 21:25
  • @elp `kubectl proxy --address=INTERNAL_SERVER_IP_ADDRESS_HERE` --accepts-host=.* – Crono Jan 29 '21 at 17:07