How to access Kubernetes UI via browser?

Question

I have installed Kubernetes using contrib/ansible scripts. When I run cluster-info:

[osboxes@kube-master-def ~]$ kubectl cluster-info
Kubernetes master is running at http://localhost:8080
Elasticsearch is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/elasticsearch-logging
Heapster is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/heapster
Kibana is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kibana-logging
KubeDNS is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kube-dns
kubedash is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kubedash
Grafana is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/monitoring-grafana
InfluxDB is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/monitoring-influxdb

The cluster is exposed on localhost with insecure port, and exposed on secure port 443 via ssl

kube 18103 1 0 12:20 ? 00:02:57 /usr/bin/kube-controller-manager --logtostderr=true --v=0 --master=https://10.57.50.161:443 -- kubeconfig=/etc/kubernetes/controller-manager.kubeconfig --service-account-private-key-file=/etc/kubernetes/certs/server.key --root-ca-file=/etc/kubernetes/certs/ca.crt kube 18217 1 0 12:20 ? 00:00:15 /usr/bin/kube-scheduler --logtostderr=true --v=0 --master=https://10.57.50.161:443 --kubeconfig=/etc/kubernetes/scheduler.kubeconfig root 27094 1 0 12:21 ? 00:00:00 /bin/bash /usr/libexec/kubernetes/kube-addons.sh kube 27300 1 1 12:21 ? 00:05:36 /usr/bin/kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://10.57.50.161:2379 --insecure-bind-address=127.0.0.1 --secure-port=443 --allow-privileged=true --service-cluster-ip-range=10.254.0.0/16 --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --tls-cert-file=/etc/kubernetes/certs/server.crt --tls-private-key-file=/etc/kubernetes/certs/server.key --client-ca-file=/etc/kubernetes/certs/ca.crt --token-auth-file=/etc/kubernetes/tokens/known_tokens.csv --service-account-key-file=/etc/kubernetes/certs/server.crt

I have copied the certificates from kube-master machine to my local machine, I have installed the ca root certificate. The chrome/safari browsers are accepting the ca root certificate. When I'm trying to access the https://10.57.50.161/ui I'm getting the 'Unauthorized'

How can I access the kubernetes ui?

Answer 1

1. kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

2. kubectl proxy &

3. Run the following command in your local laptop(or where you want to access the GUI)

   ssh -L 8877:127.0.0.1:8001 -N -f -l root master_IPADDRESS

4. Get the secret key kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'

5. Open the dashboard http://localhost:8877/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Perform role-binding if you get any errors.

Answer 2

api server is already accessible on 6443 port on the node, but not authorize accesss to https://:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

i've generated client certificats signed by kubernetes ca cert, and converted to pkcs12 and integreted to my browser... when try to access to the this url they says that user are not authorized to access to the uri...

Answer 3

You can use kubectl proxy.

Depending if you are using a config file, via command-line run

kubectl proxy

or

kubectl --kubeconfig=kubeconfig proxy

You should get a similar response

Starting to serve on 127.0.0.1:8001

Now open your browser and navigate to

http://127.0.0.1:8001/ui/ (deprecated, see kubernetes/dashboard)
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

You need to make sure the ports match up.

Answer 4

You can use kubectl proxy --address=clusterIP --port 8001 --accept-hosts '.*'

Answer 5

Quick-n-dirty (and unsecure) way to access the Dashboard:

$ kubectl edit svc/kubernetes-dashboard --namespace=kube-system

This will load the Dashboard config (yaml) into an editor where you can edit it.

Change line type: ClusterIP to type: NodePort.

Get the tcp port:

$ kubectl get svc kubernetes-dashboard -o json --namespace=kube-system

The line with the tcp port will look like:

            "nodePort": 31567

In newer releases of kubernetes you can get the nodeport from get svc:

# This is kubernetes 1.7:
donn@host37:~$ sudo kubectl get svc --namespace=kube-system
NAME                   CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   10.3.0.234   <nodes>       80:31567/TCP   2h

Do kubectl describe nodes to get a node IP address.

Browse to: http://NODE_IP:31567

Good for testing. Not good for production due to lack of security.

Answer 6

This works for me that you can access from network

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

Answer 7

Looking at your apiserver configuration, you will need to either present a bearer token (valid tokens will be listed in /etc/kubernetes/tokens/known_tokens.csv) or client certificate (signed by the CA cert in /etc/kubernetes/certs/ca.crt) to prove to the apiserver that you should be allowed to access the cluster.

https://github.com/kubernetes/kubernetes/issues/7307#issuecomment-96130676 describes how I was able to configure client certificates for a GKE cluster on my Mac.

To pass bearer tokens, you need to pass an HTTP header Authorization with a value Bearer ${KUBE_BEARER_TOKEN}. You can see an example of how this is done with curl here; in a browser, you will need to install an add-on/plugin to pass custom headers.