Introduction

Imagine a tool that allows you to see, manage, and visualize various aspects of your Kubernetes clusters through an intuitive graphical interface, instead of complex commands. The Kubernetes Dashboard does exactly that, simplifying the process of deploying, scaling, and managing containerized applications. It offers a friendly web interface where you can view logs, metrics, and error reports in one place, as well as perform rolling updates, scale Pods, and manage services and resources with ease. Being a free and open-source solution maintained by the Cloud Native Computing Foundation, the Kubernetes Dashboard is an essential resource for administrators who want to maximize the efficiency and visibility of their clusters.

Installation

The Kubernetes Dashboard currently only supports Helm-based installation, as it is faster and gives us better control over all the dependencies required for the Dashboard to work. The Chart recently underwent a redesign; now, by default, Kong (without a database) is used as a gateway that connects all our containers and exposes the user interface. Users can then use any ingress controller or proxy in front of the Kong gateway.

# Add the kubernetes-dashboard repository

helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/

# Deploy the Helm Chart

helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard --version 7.5.0

It is worth noting that the basic installation does not create the necessary objects for full cluster control (RBAC). Additionally, we need to follow these steps:

Creating the Service Account

We will create the Service Account with the name admin-user in the same installation namespace of the Chart:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

Creating the ClusterRoleBinding

The default Kubernetes installation always features a ClusterRole named cluster-admin. We will use it as a reference object to grant permissions to the newly created Service Account. Thus, simply create the ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Creating the Authentication Token:

I will show two ways to create this Token. The first creates an ephemeral Token, valid for one hour. The second creates a Token with no expiration date.

To create the ephemeral Token, we will use the following command:

kubectl -n kubernetes-dashboard create token admin-user

To create the permanent Token, we will need to create a secret:

apiVersion: v1
kind: Secret
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/service-account.name: "admin-user"   
type: kubernetes.io/service-account-token

After creation, collect the generated token with the following command:

kubectl get secret admin-user -n kubernetes-dashboard -o jsonpath={".data.token"} | base64 -d

Be careful when storing or passing on this Token, since it grants full permission on the cluster. If you want to restrict access, simply use another ClusterRole with reduced permissions.

Access

Once all the previous steps are followed, simply run the port-forward command for the service named kubernetes-dashboard-kong-proxy:

kubectl port-forward -n kubernetes-dashboard svc/kubernetes-dashboard-kong-proxy 8080:443

And, finally, access the following local address in your browser:

https://localhost:8080/

If you use the nginx ingress controller in your cluster, you can configure the ingress object via the Helm Chart values.

Best Practices

Like any application installed on a cluster, it is always important to follow best practices to ensure stability, resilience, and security.

• Always use HTTPS to encrypt traffic between the client and the Dashboard, using TLS certificates signed by a trusted certificate authority.

• Implement Kubernetes Network Policies to restrict traffic to and from the Dashboard.

• Configure token expiration to reduce the risk of token misuse and regularly rotate tokens and credentials.

• Enable audit logging for the Kubernetes API server to track access to the Dashboard and changes. Monitor logs for suspicious activity.

• Keep the K8s Dashboard version updated to take advantage of security patches and improvements. Regularly check for updates and apply them promptly.

• Collect basic and custom metrics through Prometheus's Service Monitor object (included in the Helm Chart) to monitor the application.

Conclusion

The Kubernetes Dashboard is a powerful and free solution for visualizing and managing your K8s cluster from a web-based interface. It does not come "out of the box" with K8s and must be installed additionally. Make sure to follow best security practices and restrict RBAC permissions to the dashboard.

For those who prefer, I also recorded a video of this step-by-step process that you can check out here:

There are many popular alternatives available, so be sure to check them out to evaluate and choose the right one for your needs.

Don't forget to follow our blog, we are always sharing interesting content, and also listen to Kubicast, the podcast that brings knowledge in a different format.