I have got the following services:
ubuntu@master:~$ kubectl get services --all-namespaces
NAMESPACE NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes 100.64.0.1 <none> 443/TCP 48m
kube-system kube-dns 100.64.0.10 <none> 53/UDP,53/TCP 47m
kube-system kubernetes-dashboard 100.70.83.136 <nodes> 80/TCP 47mI am attempting to access kubernetes dashboard. The following response seems reasonable, taking into account curl is not a browser.
ubuntu@master:~$ curl 100.70.83.136
<!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title>Kubernetes Dashboard</title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.36bb79bb.css"> <link rel="stylesheet" href="static/app.d2318302.css"> </head> <body> <!--[if lt IE 10]>
<p class="browsehappy">You are using an <strong>outdated</strong> browser.
Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
experience.</p>
<![endif]--> <kd-chrome layout="column" layout-fill> </kd-chrome> <script src="static/vendor.633c6c7a.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.9ed974b1.js"></script> </body> </html> According to the documentation the right access point is https://localhost/ui. So, I am trying it and receive a bit worrying result. Is it expected response?
ubuntu@master:~$ curl https://localhost/ui
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Trying the same without certificate validation. For curl it might be OK. but I have got the same in a browser, which is connecting though port forwarding via vagrant forwarded_port option.
ubuntu@master:~$ curl -k https://localhost/ui
Unauthorized
What I am doing wrong? and how to make sure I can access the UI? Currently it responds with Unauthorized.
The docs for the dashboard tell the password is in the configuration:
ubuntu@master:~$ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
but it seems I have got nothing... Is it expected behavior? How can I authorize with the UI?
Just add a little clarity to the above response,
Change type: ClusterIP to type: NodePort and save file.
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://master-ip:31707.
Note: The port mentioned could be difference in your case, just run the below kubectl command to get the port from master.
kubectl -n kube-system get service kubernetes-dashboard
The offical wiki is a little bit confusing so I reordered it here:
If you use the recommended yaml to deploy the dashboard, you should only access your dashboard by https, and you should generate your certs, refer to guide. Then you can run kubectl proxy --address='0.0.0.0' --accept-hosts='^*#x27; to visit the dashboard on "http://localhost:8001/ui". This page needs to use a token to login. To generate it, refer to this page. Also you can add NodePort to your yaml and access it using <nodeip>:<port>.
If you deploy using the http alternative method, you can only access your dashboard by nodeip:port. Remember to add it to yaml first!! After deployment, you should also generate your token and add header Authorization: Bearer <token> for every request.
I think this can help you and others who want to use kube-dashboard.
You can reference the document:
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
The easy way is to
$ kubectl -n kube-system edit service kubernetes-dashboard
change the .spec.type to NodePort
You need to run kubectl proxy locally for accessing the dashboard outside the kubernetes cluster. This is because of the authentication mechanism. After running the below command you'll be able to view the dashboard at http://localhost/ui on your browser. The admin.conf file is the file on your kubernetes master at /etc/kubernetes/admin.conf You'll have to scp that file to the machine from which you want to access the dashboard and pass it to kubectl command.
kubectl --kubeconfig=./admin.conf proxy -p 80
The nodePort approach as mentioned by @user2363318 will be applicable if one of the following two conditions is valid:
You can reach by hitting the nodePort for the dashboard on the master
kubectl describe services kubernetes-dashboard --namespace=kube-system
NodePort: <unset> 30042/TCP