Accessing a Cluster Using the Kubernetes Dashboard

Kubernetes Dashboard is a web-based user interface that you can use as an alternative to the Kubernetes kubectl command line tool to:

  • deploy containerized applications to a Kubernetes cluster
  • troubleshoot your containerized applications

You use the Kubernetes Dashboard to get an overview of applications running on a cluster, as well as to create or modify individual Kubernetes resources. The Kubernetes Dashboard also reports the status of Kubernetes resources in the cluster, and any errors that have occurred.

In contrast to the Kubernetes Dashboard, Container Engine for Kubernetes enables you to create and delete Kubernetes clusters and node pools, and to manage the associated compute, network, and storage resources.

Before you can use the Kubernetes Dashboard to access a cluster, you need to specify the cluster on which to perform operations by setting up the cluster's kubeconfig file.

Note the following:

  • You cannot run the Kubernetes Dashboard in Cloud Shell.
  • To have Container Engine for Kubernetes automatically deploy the Kubernetes Dashboard during cluster creation, create the cluster using the API and set the isKubernetesDashboardEnabled attribute to true. When Container Engine for Kubernetes automatically deploys the Kubernetes Dashboard, it is deployed in the kube-system namespace.
  • You cannot use Container Engine for Kubernetes to deploy the Kubernetes Dashboard on the cluster after the cluster is created. To manually deploy the Kubernetes Dashboard on an existing cluster, see the Kubernetes documentation. When you follow the instructions to manually deploy the Kubernetes Dashboard, it is deployed in the kube-dashboard namespace rather than the kube-system namespace. As a result, the URL to display a manually deployed Kubernetes Dashboard is http://localhost:8001/api/v1/namespaces/kube-dashboard/services/https:kubernetes-dashboard:/proxy/#!/login, rather than http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login.
  • An Oracle Cloud Infrastructure CLI command in the kubeconfig file generates authentication tokens that are short-lived, cluster-scoped, and specific to individual users. As a result, you cannot share kubeconfig files between users to access Kubernetes clusters. The generated authentication tokens are also unsuitable if you want other processes and tools to access the cluster, such as continuous integration and continuous delivery (CI/CD) tools. In this case, consider creating a Kubernetes service account and adding its associated authentication token to the kubeconfig file. For more information, see Adding a Service Account Authentication Token to a Kubeconfig File.
  • The commands to use to delete the Kubernetes Dashboard from a cluster will depend on the version of Kubernetes running on the cluster. See Notes about Deleting the Kubernetes Dashboard.

Accessing a Cluster using the Kubernetes Dashboard

To access a cluster using the Kubernetes Dashboard:

  1. If you haven't already done so, follow the steps to set up the cluster's kubeconfig configuration file and (if necessary) set the KUBECONFIG environment variable to point to the file. Note that you must set up your own kubeconfig file. You cannot access a cluster using a kubeconfig file that a different user set up. See Setting Up Cluster Access.
  2. In a text editor, create a file (for example, called oke-admin-service-account.yaml) with the following content:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: oke-admin
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
      name: oke-admin
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: oke-admin
      namespace: kube-system

    The file defines an administrator service account and a clusterrolebinding, both called oke-admin.

  3. Create the service account and the clusterrolebinding in the cluster by entering:

    $ kubectl apply -f <filename>

    where <filename> is the name of the file you created earlier. For example:

    $ kubectl apply -f oke-admin-service-account.yaml
    

    The output from the above command confirms the creation of the service account and the clusterrolebinding:

    
    serviceaccount "oke-admin" created
    clusterrolebinding.rbac.authorization.k8s.io "oke-admin" created

    You can now use the oke-admin service account to view and control the cluster, and to connect to the Kubernetes dashboard.

  4. Obtain an authentication token for the oke-admin service account by entering:

    $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep oke-admin | awk '{print $1}')

    The output from the above command includes an authentication token (a long alphanumeric string) as the value of the token: element, as shown below:

    Name:         oke-admin-token-gwbp2
    Namespace:    kube-system
    Labels:       <none>
    Annotations:  kubernetes.io/service-account.name: oke-admin
    kubernetes.io/service-account.uid: 3a7fcd8e-e123-11e9-81ca-0a580aed8570
    Type:  kubernetes.io/service-account-token
    Data
    ====
    ca.crt:     1289 bytes
    namespace:  11 bytes
    token:      eyJh______px1Q

    In the example above, eyJh______px1Q (abbreviated for readability) is the authentication token.

  5. Copy the value of the token: element from the output. You will use this token to connect to the dashboard.

  6. In a terminal window, enter kubectl proxy to make the Kubernetes Dashboard available.
  7. Open a browser and go to http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login to display the Kubernetes Dashboard that was deployed when cluster was created.

    Note that if you followed the instructions in the Kubernetes documentation to manually deploy the Kubernetes Dashboard on an existing cluster, it is deployed in the kube-dashboard namespace rather than the kube-system namespace. As a result, the URL to display the manually deployed Kubernetes Dashboard is http://localhost:8001/api/v1/namespaces/kube-dashboard/services/https:kubernetes-dashboard:/proxy/#!/login.

  8. In the Kubernetes Dashboard, select Token and paste the value of the token: element you copied earlier into the Token field.

  9. In the Kubernetes Dashboard, click Sign In, and then click Overview to see the applications deployed on the cluster.

Notes about Deleting the Kubernetes Dashboard

If you want to delete the Kubernetes Dashboard from a cluster, the commands to use will depend on the version of Kubernetes running on the cluster:

  • For clusters running Kubernetes versions prior to version 1.16.8, run the following kubectl commands to delete the Kubernetes Dashboard:
    $ kubectl delete deployment kubernetes-dashboard -n kube-system
    $ kubectl delete sa -n kube-system kubernetes-dashboard
    $ kubectl delete svc -n kube-system kubernetes-dashboard
    $ kubectl delete secret -n kube-system kubernetes-dashboard-certs
    $ kubectl delete secret -n kube-system kubernetes-dashboard-key-holder
    $ kubectl delete cm -n kube-system kubernetes-dashboard-settings
    $ kubectl delete role -n kube-system kubernetes-dashboard-minimal
    $ kubectl delete rolebinding -n kube-system kubernetes-dashboard-minimal
    $ kubectl delete deploy -n kube-system kubernetes-dashboard
  • For clusters running Kubernetes version 1.16.8 (or later), run the following kubectl commands to delete the Kubernetes Dashboard:
    $ kubectl delete deployment kubernetes-dashboard -n kube-system
    $ kubectl delete sa -n kube-system kubernetes-dashboard
    $ kubectl delete svc -n kube-system kubernetes-dashboard
    $ kubectl delete secret -n kube-system kubernetes-dashboard-certs
    $ kubectl delete secret -n kube-system kubernetes-dashboard-csrf
    $ kubectl delete secret -n kube-system kubernetes-dashboard-key-holder
    $ kubectl delete cm -n kube-system kubernetes-dashboard-settings
    $ kubectl delete role -n kube-system kubernetes-dashboard
    $ kubectl delete rolebinding -n kube-system kubernetes-dashboard
    $ kubectl delete clusterrole -n kube-system kubernetes-dashboard
    $ kubectl delete clusterrolebinding -n kube-system kubernetes-dashboard
    $ kubectl delete deploy -n kube-system kubernetes-dashboard