In this article, we will explore the Kubernetes (K8s) dashboard, explain what it is, and what it includes, before looking at how to install, access, and deploy it on your cluster. We will then look at how to deploy it using an ingress controller, fix common errors, and list some security best practices you’ll want to adhere to when setting it up. Lastly, we will take a look at a few common alternatives to the K8s dashboard and show where they add additional value. Let’s go!
- What is the Kubernetes Dashboard?
- Kubernetes Dashboard UI and basic operations
- How to install Kubernetes Dashboard
- How to access and deploy Kubernetes Dashboard
- How to deploy the Kubernetes Dashboard using Ingress Controller
- How to fix Kubernetes Dashboard Forbidden 403 error
- Kubernetes Dashboard security best practices
- Kubernetes Dashboard alternatives
The Kubernetess Dashboard is a web-based user interface (UI) that provides a graphical representation of various aspects of a Kubernetess cluster. The Dashboard serves as a visual tool to help users manage and monitor their K8s clusters and workloads running on them.
Is the Kubernetes Dashboard free?
The Kubernetes Dashboard itself is free and open source. It is part of the K8s project, which is maintained by the Cloud Native Computing Foundation (CNCF). As an open-source tool, the Kubernetes Dashboard is distributed under an open-source license, typically the Apache License 2.0. You can find the source code, documentation, and instructions for installation on the official GitHub repository here.
Key features of the K8s Dashboard include:
1) Cluster overview
- Displays an overview of the entire Kubernetess cluster, including the number of nodes, namespaces, pods, and services.
- Provides a high-level summary of the cluster’s health and status.
2) Resource monitoring
- Monitors resource utilization for nodes, pods, and containers.
- Displays CPU and memory usage metrics to help with resource management and optimization.
3) Deployment management
- Allows users to create, update, and manage Kubernetes deployments.
- Supports scaling applications up or down based on demand.
- Facilitates the management of rolling updates for application deployments.
4) Pod management
- Provides tools for managing individual pods within the cluster.
- Displays information about pod status, resource usage, and associated containers.
5) Service discovery
- Allows users to explore and manage services within the cluster.
- Provides details about service endpoints, external IP addresses, and load balancers.
6) Log viewing
- Enables users to view logs generated by containers within pods.
- Supports troubleshooting and debugging by providing easy access to container logs.
7) Node details
- Offers detailed information about individual nodes in the cluster.
- Includes hardware specifications, capacity, and resource usage for each node.
8) Event viewer
- Displays events and notifications related to the Kubernetes cluster.
- Helps users track changes, errors, and other important events.
9) Namespace support
- Supports the concept of namespaces, allowing users to view and manage resources within specific namespaces.
10) User authentication and RBAC
- Integrates with Kubernetes RBAC to provide role-based access control.
- Supports authentication mechanisms to ensure secure access to the Dashboard.
11) Custom Resource Definitions (CRD) support:
- Supports the display and management of custom resources defined within the Kubernetes cluster.
12) Multi-cluster support
- Allows users to manage multiple K8s clusters from a single Dashboard instance.
The KubernetesS Dashboard is not deployed by default. You will need to install/deploy it before you can access the UI.
First, you will need access to your cluster and have the kubectl
command line tool installed. Run the following command to install it using a manifest.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl
will output a list of the created resources.
Alternatively, if you have Helm installed on your cluster, you can install the dashboard using that. Note the following advice from artifacthub.io:
Starting from the release
v7
for the Helm chart andv3
for the Kubernetes Dashboard, underlying architecture has changed, and it requires a clean installation. Please remove previous installation first.Kubernetes Dashboard now uses
cert-manager
andnginx-ingress-controller
by default to work properly. They will be automatically installed with the Helm chart. In case you already have them installed, simply set--set=nginx.enabled=false
and--set=cert-manager.enabled=false
when installing the chart to disable installation of those dependencies. If you want to use different software in addition to disablingnginx
andcert-manager
you also need to set--set=app.ingress.enabled=false
to make sure our defaultIngress
resource will not be installed.
To install the Chart with the Release name kubernetes-dashboard
:
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard
To uninstall using Helm:
helm delete kubernetes-dashboard --namespace kubernetes-dashboard
Once you have deployed the dashboard using the steps above, you will now need to create a service account you can use to access the dashboard.
In this example we will create one with name dashboard-user
in namespace kubernetes-dashboard
. We will then generate a bearer token for the user so we can use it to log on to the dashboard.
1. Create the service account
Create a file named dashboard-user.yaml with the following contents:
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-user
namespace: kubernetes-dashboard
Apply the user:
kubectl apply -f dashboard-adminuser.yaml
Create another file called dashboard-clusterrolebinding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-user
namespace: kubernetes-dashboard
Apply the clusterrolebinding:
kubectl apply -f dashboard-clusterrolebinding.yaml
Retrieve the bearer token and copy the output for later use.
kubectl get secret $(kubectl get serviceaccount dashboard-user -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
2. Start the dashboard
Next, start the dashboard for testing on your local machine using the proxy
command:
kubectl proxy
Which will make the K8s Dashboard available:
3. Access the Kubernetes Dashboard
On first access, you will be greeted with the choice between Token and Kubeconfig authentication methods. Choose Token and enter the Bearer token you copied earlier.
You will then be logged in as admin, and you can start exploring the dashboard.
Once you have finished testing, you can remove the ServiceAccount
and ClusterRoleBinding
.
kubectl -n kubernetes-dashboard delete serviceaccount dashboard-user
kubectl -n kubernetes-dashboard delete clusterrolebinding dashboard-user
4. Stop the dashboard
To stop the dashboard, you can delete the deployment you used to create it in the first place, using kubectl
:
kubectl delete -f <path/to/kubernetes-dashboard-manifests>
5. Allow access with read-only user
Note that the steps above grant admin privileges to the dashboard-user account. If you want to allow access with a read-only user instead, you will need to create a read-only role, and rolebinding
to apply to the serviceaccoun
t.
First, create the read-only role yaml file and apply it to the cluster:
dashboard-read-only-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kubernetes-dashboard
name: dashboard-read-only-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets", "deployments", "replicasets", "pods/log"]
verbs: ["get", "list", "watch"]
kubectl apply -f dashboard-read-only-role.yaml
Create a service account and apply it:
dashboard-read-only-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-read-only-sa
kubectl apply -f dashboard-read-only-sa.yaml
Lastly, bind the role to the service account, apply it, and get the bearer token for login:
dashboard-read-only-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dashboard-read-only-role-binding
namespace: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: dashboard-read-only-sa
apiGroup: ""
roleRef:
kind: Role
name: dashboard-read-only-role
apiGroup: ""
kubectl apply -f dashboard-read-only-role-binding.yaml
kubectl get secret $(kubectl get serviceaccount dashboard-read-only-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
Adjust the RBAC rules in the dashboard-read-only-role.yaml
file if you need to customize the permissions further.
In this example, we deploy the popular ingress controller NGINX and then the K8s Dashboard.
The easiest way to install NGINX:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
You can check out the other installation methods available on the official documentation pages and tweak the settings as necessary.
Next, create a YAML file and deploy the dashboard:
kubernetes-dashboard.yaml
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
selector:
matchLabels:
app: kubernetes-dashboard
template:
metadata:
labels:
app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.5
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 80
targetPort: 80
selector:
app: kubernetes-dashboard
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
rules:
- host: dashboard.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 80
kubectl apply -f kubernetes-dashboard.yaml
If you have DNS setup, you should then be able to access the dashboard on the URL set in the host field. e.g. http://dashboard.test.com.
A “Forbidden 403” error in the Kubernetes Dashboard typically indicates that the user or service account trying to access the dashboard doesn’t have the necessary permissions. If you’re seeing this error, you can likely get to the login screen, which suggests your ingress, networking, and dashboard deployment are working correctly, but the login to the dashboard is the issue.
Check the RBAC permissions applied to the account you are using to log in. Ensure the service account is assigned an appropriate role and rolebinding as per the steps above and that the token you are using to log in is correctly copied. You could always create a new one using the steps below to test with:
kubectl create serviceaccount dashboard-admin-sa
kubectl create clusterrolebinding dashboard-admin-sa --clusterrole=cluster-admin --serviceaccount=default:dashboard-admin-sa
kubectl get secret $(kubectl get serviceaccount dashboard-admin-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
The Dashboard supports integration with K8s RBAC (Role-Based Access Control), allowing administrators to define roles and permissions for different users and teams accessing the Dashboard.
The default Dashboard deployment contains a minimal set of RBAC privileges needed to run. Proper access controls and authentication mechanisms should be configured to ensure that only authorized users can access and interact with the Dashboard.
Other good practices include:
- Always use HTTPS to encrypt traffic between the client and the dashboard, using TLS certificates signed by a trusted certificate authority.
- Implement Kubernetes Network Policies to restrict traffic to and from the dashboard. Limit access to specific IP ranges and namespaces.
- Configure token expiration to reduce the risk of token misuse and regularly rotate tokens and credentials.
- Enable audit logging for the Kubernetes API server to track dashboard access and changes. Monitor logs for suspicious activities.
- Keep the K8s Dashboard version up to date to benefit from security patches and improvements. Regularly check for updates and apply them promptly.
There are many alternatives to the Kuberenetes Dashboard, all of which have various strengths and weaknesses but aim to build upon the functionality of the K8s dashboard. Some of the most popular include:
1. Lens
Lens is a Kubernetes IDE you can use to to monitor and manage your Kubernetes environments, designed to improve the productivity and efficiency of cluster operators and developers.
See the Kubernetes Lens tutorial.
2. Octant
Octant is an open-source web interface for Kubernetes that can be used to inspect a Kubernetes cluster and its applications.
3. Rancher
Rancher is a Kubernetes management platform centralizing Kubernetes access control, security, and operations when you’re working with multiple clusters. It can also be used with other orchestrators.
4. Grafana + Prometheus
Combining Grafana and Prometheus offers a powerful monitoring and visualization solution for K8s clusters. Grafana provides customizable dashboards, while Prometheus handles metric collection and alerting.
The Kubernetes dashboard is a powerful, freely available solution for visualizing and managing your K8s cluster from a web-based interface. It does not come with K8s ‘out-of-the-box’ and must be installed additionally. Be sure to follow security best practices and restrict RBAC permissions to the dashboard.
There are many popular alternatives available, so be sure to check them out to evaluate them for yourself and choose the right one for your requirements.
If you need any assistance with managing your Kubernetes projects, take a look at Spacelift. It brings with it a GitOps flow, so your Kubernetes Deployments are synced with your Kubernetes Stacks, and pull requests show you a preview of what they’re planning to change. It also has an extensive selection of policies, which lets you automate compliance checks and build complex multi-stack workflows. You can check it for free by creating a trial account or book a demo with one of our engineers.
Manage Kubernetes Easier and Faster
Spacelift allows you to automate, audit, secure, and continuously deliver your infrastructure. It helps overcome common state management issues and adds several must-have features for infrastructure management.