Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.
Dashboard also provides information on the state of Kubernetes resources in your cluster and on any errors that may have occurred.
In the previous posts, I’ve described how to deploy Kubernetes Dashboard with TLS certs and expose using a Load Balancer service.
This post shows you how you can expose the Dashboard using Contour with TLS certificates.
Step 1. Download the Kubernetes Dashboard manifest
https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
Step 2. Edit the file
Go to the kubernetes-dashboard Service and add in another line to make the service a ClusterIP service for Contour to use. It should look like this:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
type: ClusterIP
Go to the kubernetes-dashboard-certs Secret and add in your tls certificate and private key for the Dashboard in base64 format and change the type to kubernetes.io/tls. It should look something like this:
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU1VENDQTgyZ0F3SUJBZ0lT--snipped--
tls.key: --snipped--
type: kubernetes.io/tls
Go to the kubernetes-dashboard Deployment spec.template.spec.containers.args section and add in these two lines:
- --tls-cert-file=/tls.crt
- --tls-key-file=/tls.key
It should end up looking something like this:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --tls-cert-file=/tls.crt
- --tls-key-file=/tls.key
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
Step 3. Add in the Contour httpproxy
Go all the way to the bottom of the file and add in this section, of course changing it to your desired FQDN.
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
labels:
k8s-app: kubernetes-dashboard
namespace: kubernetes-dashboard
name: kubernetes-dashboard-httpproxy
spec:
routes:
- conditions:
- prefix: /
services:
- name: kubernetes-dashboard
port: 443
protocol: tls
virtualhost:
fqdn: kubernetes-dashboard.vmwire.com
tls:
secretName: kubernetes-dashboard-certs
Step 4. Add in a ServiceAccount and a ClusterRoleBinding
Go all the way to the bottom of the file and add in this section.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
Step 5. Deploy the manifest
kubetcl apply -f recommended.yaml
Step 6. Obtain login token
kubectl -n kubernetes-dashboard create token admin-user
VMwire 