Kubernetes

Kubernetes Dashboard: Tutorial, Best Practices & Alternatives

kubernetes dashboard

In this article, we will explore the Kubernetes (K8s) dashboard, explain what it is, and what it includes, before looking at how to install, access, and deploy it on your cluster. We will then look at how to deploy it using an ingress controller, fix common errors, and list some security best practices you’ll want to adhere to when setting it up. Lastly, we will take a look at a few common alternatives to the K8s dashboard and show where they add additional value. Let’s go!

  1. What is the Kubernetes Dashboard?
  2. Kubernetes Dashboard UI and basic operations
  3. How to install Kubernetes Dashboard
  4. How to access and deploy Kubernetes Dashboard
  5. How to deploy the Kubernetes Dashboard using Ingress Controller
  6. How to fix Kubernetes Dashboard Forbidden 403 error 
  7. Kubernetes Dashboard security best practices
  8. Kubernetes Dashboard alternatives 

What is the Kubernetes Dashboard?

The Kubernetess Dashboard is a web-based user interface (UI) that provides a graphical representation of various aspects of a Kubernetess cluster. The Dashboard serves as a visual tool to help users manage and monitor their K8s clusters and workloads running on them.

Is the Kubernetes Dashboard free?

The Kubernetes Dashboard itself is free and open source. It is part of the K8s project, which is maintained by the Cloud Native Computing Foundation (CNCF). As an open-source tool, the Kubernetes Dashboard is distributed under an open-source license, typically the Apache License 2.0. You can find the source code, documentation, and instructions for installation on the official GitHub repository here.

Kubernetes Dashboard UI and basic operations

install kubernetes dashboard

Image source

Key features of the K8s Dashboard include:

1) Cluster overview

  • Displays an overview of the entire Kubernetess cluster, including the number of nodes, namespaces, pods, and services.
  • Provides a high-level summary of the cluster’s health and status.

2) Resource monitoring

  • Monitors resource utilization for nodes, pods, and containers.
  • Displays CPU and memory usage metrics to help with resource management and optimization.

3) Deployment management

  • Allows users to create, update, and manage Kubernetes deployments.
  • Supports scaling applications up or down based on demand.
  • Facilitates the management of rolling updates for application deployments.

4) Pod management

  • Provides tools for managing individual pods within the cluster.
  • Displays information about pod status, resource usage, and associated containers.

5) Service discovery

  • Allows users to explore and manage services within the cluster.
  • Provides details about service endpoints, external IP addresses, and load balancers.

6) Log viewing

  • Enables users to view logs generated by containers within pods.
  • Supports troubleshooting and debugging by providing easy access to container logs.

7) Node details

  • Offers detailed information about individual nodes in the cluster.
  • Includes hardware specifications, capacity, and resource usage for each node.

8) Event viewer

  • Displays events and notifications related to the Kubernetes cluster.
  • Helps users track changes, errors, and other important events.

9) Namespace support

  • Supports the concept of namespaces, allowing users to view and manage resources within specific namespaces.

10) User authentication and RBAC

  • Integrates with Kubernetes RBAC to provide role-based access control.
  • Supports authentication mechanisms to ensure secure access to the Dashboard.

11) Custom Resource Definitions (CRD) support:

12) Multi-cluster support

  • Allows users to manage multiple K8s clusters from a single Dashboard instance.

How to install Kubernetes Dashboard

The KubernetesS Dashboard is not deployed by default. You will need to install/deploy it before you can access the UI.

First, you will need access to your cluster and have the kubectl command line tool installed. Run the following command to install it using a manifest.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

kubectl will output a list of the created resources.

kubernetes dashboard github

Alternatively, if you have Helm installed on your cluster, you can install the dashboard using that. Note the following advice from artifacthub.io:

Starting from the release v7 for the Helm chart and v3 for the Kubernetes Dashboard, underlying architecture has changed, and it requires a clean installation. Please remove previous installation first.

Kubernetes Dashboard now uses cert-manager and nginx-ingress-controller by default to work properly. They will be automatically installed with the Helm chart. In case you already have them installed, simply set --set=nginx.enabled=false and --set=cert-manager.enabled=false when installing the chart to disable installation of those dependencies. If you want to use different software in addition to disabling nginx and cert-manager you also need to set --set=app.ingress.enabled=false to make sure our default Ingress resource will not be installed.

To install the Chart with the Release name kubernetes-dashboard:

helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard

To uninstall using Helm:

helm delete kubernetes-dashboard --namespace kubernetes-dashboard

How to access and deploy Kubernetes Dashboard

Once you have deployed the dashboard using the steps above, you will now need to create a service account you can use to access the dashboard.

In this example we will create one with name dashboard-user in namespace kubernetes-dashboard. We will then generate a bearer token for the user so we can use it to log on to the dashboard.

1. Create the service account

Create a file named dashboard-user.yaml with the following contents:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-user
  namespace: kubernetes-dashboard

Apply the user:

kubectl apply -f dashboard-adminuser.yaml
kubernetes dashboard ingress

Create another file called dashboard-clusterrolebinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: dashboard-user
  namespace: kubernetes-dashboard

Apply the clusterrolebinding:

kubectl apply -f dashboard-clusterrolebinding.yaml
kubernetes dashboard alternatives

Retrieve the bearer token and copy the output for later use.

kubectl get secret $(kubectl get serviceaccount dashboard-user -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

2. Start the dashboard

Next, start the dashboard for testing on your local machine using the proxy command:

kubectl proxy
dashboard kubernetes

Which will make the K8s Dashboard available:

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.

3. Access the Kubernetes Dashboard

On first access, you will be greeted with the choice between Token and Kubeconfig authentication methods. Choose Token and enter the Bearer token you copied earlier.

best kubernetes dashboard

You will then be logged in as admin, and you can start exploring the dashboard.

deploy kubernetes dashboard

Once you have finished testing, you can remove the ServiceAccount and ClusterRoleBinding.

kubectl -n kubernetes-dashboard delete serviceaccount dashboard-user
kubectl -n kubernetes-dashboard delete clusterrolebinding dashboard-user

4. Stop the dashboard

To stop the dashboard, you can delete the deployment you used to create it in the first place, using kubectl:

kubectl delete -f <path/to/kubernetes-dashboard-manifests>

5. Allow access with read-only user

Note that the steps above grant admin privileges to the dashboard-user account. If you want to allow access with a read-only user instead, you will need to create a read-only role, and rolebinding to apply to the serviceaccount.

First, create the read-only role yaml file and apply it to the cluster:

dashboard-read-only-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kubernetes-dashboard
  name: dashboard-read-only-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets", "deployments", "replicasets", "pods/log"]
  verbs: ["get", "list", "watch"]
kubectl apply -f dashboard-read-only-role.yaml

Create a service account and apply it:

dashboard-read-only-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-read-only-sa
kubectl apply -f dashboard-read-only-sa.yaml

Lastly, bind the role to the service account, apply it, and get the bearer token for login:

dashboard-read-only-role-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dashboard-read-only-role-binding
  namespace: kubernetes-dashboard
subjects:
- kind: ServiceAccount
  name: dashboard-read-only-sa
  apiGroup: ""
roleRef:
  kind: Role
  name: dashboard-read-only-role
  apiGroup: ""
kubectl apply -f dashboard-read-only-role-binding.yaml
kubectl get secret $(kubectl get serviceaccount dashboard-read-only-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

Adjust the RBAC rules in the dashboard-read-only-role.yaml file if you need to customize the permissions further.

How to deploy the Kubernetes Dashboard using ingress controller

In this example, we deploy the popular ingress controller NGINX and then the K8s Dashboard.

The easiest way to install NGINX:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml

You can check out the other installation methods available on the official documentation pages and tweak the settings as necessary.

Next, create a YAML file and deploy the dashboard:

kubernetes-dashboard.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kubernetes-dashboard
  template:
    metadata:
      labels:
        app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: kubernetesui/dashboard:v2.0.5
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: kubernetes-dashboard

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  rules:
  - host: dashboard.test.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 80
kubectl apply -f kubernetes-dashboard.yaml

If you have DNS setup, you should then be able to access the dashboard on the URL set in the host field. e.g. http://dashboard.test.com.

How to fix Kubernetes Dashboard Forbidden 403 error

A “Forbidden 403” error in the Kubernetes Dashboard typically indicates that the user or service account trying to access the dashboard doesn’t have the necessary permissions. If you’re seeing this error, you can likely get to the login screen, which suggests your ingress, networking, and dashboard deployment are working correctly, but the login to the dashboard is the issue.

Check the RBAC permissions applied to the account you are using to log in. Ensure the service account is assigned an appropriate role and rolebinding as per the steps above and that the token you are using to log in is correctly copied. You could always create a new one using the steps below to test with:

kubectl create serviceaccount dashboard-admin-sa
kubectl create clusterrolebinding dashboard-admin-sa --clusterrole=cluster-admin --serviceaccount=default:dashboard-admin-sa
kubectl get secret $(kubectl get serviceaccount dashboard-admin-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

Kubernetes Dashboard security best practices

The Dashboard supports integration with K8s RBAC (Role-Based Access Control), allowing administrators to define roles and permissions for different users and teams accessing the Dashboard.

The default Dashboard deployment contains a minimal set of RBAC privileges needed to run. Proper access controls and authentication mechanisms should be configured to ensure that only authorized users can access and interact with the Dashboard.

Other good practices include:

  1. Always use HTTPS to encrypt traffic between the client and the dashboard, using TLS certificates signed by a trusted certificate authority.
  2. Implement Kubernetes Network Policies to restrict traffic to and from the dashboard. Limit access to specific IP ranges and namespaces.
  3. Configure token expiration to reduce the risk of token misuse and regularly rotate tokens and credentials.
  4. Enable audit logging for the Kubernetes API server to track dashboard access and changes. Monitor logs for suspicious activities.
  5. Keep the K8s Dashboard version up to date to benefit from security patches and improvements. Regularly check for updates and apply them promptly.

Kubernetes Dashboard alternatives

There are many alternatives to the Kuberenetes Dashboard, all of which have various strengths and weaknesses but aim to build upon the functionality of the K8s dashboard. Some of the most popular include:

1. Lens

Lens is a Kubernetes IDE you can use to to monitor and manage your Kubernetes environments, designed to improve the productivity and efficiency of cluster operators and developers.

See the Kubernetes Lens tutorial.

kubernetes dashboard alternatives lens

Image source

2. Octant

Octant is an open-source web interface for Kubernetes that can be used to inspect a Kubernetes cluster and its applications.

kubernetes dashboard alternatives octant

Image source

3. Rancher

Rancher is a Kubernetes management platform centralizing Kubernetes access control, security, and operations when you’re working with multiple clusters. It can also be used with other orchestrators.

kubernetes dashboard alternatives rancher

Image source

4. Grafana + Prometheus

Combining Grafana and Prometheus offers a powerful monitoring and visualization solution for K8s clusters. Grafana provides customizable dashboards, while Prometheus handles metric collection and alerting.

kubernetes dashboard alternatives grafana

Key points

The Kubernetes dashboard is a powerful, freely available solution for visualizing and managing your K8s cluster from a web-based interface. It does not come with K8s ‘out-of-the-box’ and must be installed additionally. Be sure to follow security best practices and restrict RBAC permissions to the dashboard.

There are many popular alternatives available, so be sure to check them out to evaluate them for yourself and choose the right one for your requirements.

If you need any assistance with managing your Kubernetes projects, take a look at Spacelift. It brings with it a GitOps flow, so your Kubernetes Deployments are synced with your Kubernetes Stacks, and pull requests show you a preview of what they’re planning to change. It also has an extensive selection of policies, which lets you automate compliance checks and build complex multi-stack workflows. You can check it for free by creating a trial account or book a demo with one of our engineers.

Manage Kubernetes Easier and Faster

Spacelift allows you to automate, audit, secure, and continuously deliver your infrastructure. It helps overcome common state management issues and adds several must-have features for infrastructure management.

Start free trial

Kubernetes Commands Cheat Sheet

Grab our ultimate cheat sheet PDF

for all the kubectl commands you need.

k8s book
Share your data and download the cheat sheet