What is the correct way to access the K8S dashboard?

Question

Question

It is not clear how to access the dashboard with HTTPS and cannot find a clear documentation (it just tells to use kubectl proxy). So what is the way to access the dashboard with HTTPS?

Kubernetes Dashboard GitHub tells:

The shortcut http://localhost:8001/ui is deprecated. Use the full proxy URL shown above.

K8S Dashboard Recommended Setup or K8S Dashboard FAQ do not tell how to access the dashboard without proxy.

I'm accessing Dashboard over HTTPS

The reason why /ui redirect does not work for HTTPS is that it hasn't yet been updated in the core repository. You can track https://github.com/kubernetes/kubernetes/pull/53046#discussion_r145338754 to find out when it will be merged. Probably it won't be available until K8S 1.8.3+.

Correct links that can be used to access Dashboard are in our documentation. Check Accessing Dashboard to find out more.

---

However, the kubernetes-dashboard.yaml manifest defines the service endpoint to the dashboard as below:

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

And the cluster IP (in my environment) assigned is below.

# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   ClusterIP   10.101.199.14   <none>        443/TCP         4h

Simply create a SSH tunnel to the 10.101.199.14:443 and access to it (https://localhost:8001) shows the dashboard.

So, basically, there is no need to use kubectl proxy and directly access the clusterIP:443 is the way to access the dashboard with HTTPS?

Kindly suggest where is the up-to-date and accurate documentation on how to use the K8S dashboard.

Environment

# kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T21:07:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T20:55:30Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

Answer 1

As no time to test the suggestion by Suresh, used below for now.

Get the kubernetes-dashboard service account token (given cluster-admin role).

$ kubectl get secret -n kube-system | grep kubernetes-dashboard
kubernetes-dashboard-token-42b78                 kubernetes.io/service-account-token   3         1h

$ kubectl describe secret kubernetes-dashboard-token-42b78 -n kube-system
Name:         kubernetes-dashboard-token-42b78
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=kubernetes-dashboard
              kubernetes.io/service-account.uid=36347792-ecdf-11e7-9ca8-06bb783bb15c

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:    <TOKEN>

Start SSH tunnel.

ssh -L localhost:8001:172.31.4.117:6443 centos@<K8SServer>

Use Chrome ModHeader extension to send the Bearer token.

Access the API server endpoint via SSH tunnel (local port 8001).

https://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

Answer 2

As far as I know, You would not want to expose your k8s dashboard to external world Since It's a graphical way to get access to your k8s cluster that's why the service type of k8s-dashboard is clusterIP instead of LoadBalancer or NodePort( Minikube uses it).

Now If you want to access the dashboard without exposing it to the external world.There are 2 ways which you have described in the question.

• Kubectl proxy (It create HTTP proxy to kube-api Server)
• Kubectl port-forward (it create TCP proxy to k8s-dashboard pod)