Execute the following steps on master node
1) Create certificate
ubuntu@k8s-s1-master:~$ mkdir certs ubuntu@k8s-s1-master:~$ cd certs/ ubuntu@k8s-s1-master:~/certs$ openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048 Generating RSA private key, 2048 bit long modulus ......+++ ........................+++ e is 65537 (0x10001) ubuntu@k8s-s1-master:~/certs$ ll total 12 drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 2 15:51 ./ drwxr-xr-x 8 ubuntu ubuntu 4096 Feb 2 15:48 ../ -rw-rw-r-- 1 ubuntu ubuntu 1751 Feb 2 15:51 dashboard.pass.key ubuntu@k8s-s1-master:~/certs$ openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key writing RSA key ubuntu@k8s-s1-master:~/certs$ ubuntu@k8s-s1-master:~/certs$ ubuntu@k8s-s1-master:~/certs$ ll total 16 drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 2 15:51 ./ drwxr-xr-x 8 ubuntu ubuntu 4096 Feb 2 15:48 ../ -rw-rw-r-- 1 ubuntu ubuntu 1679 Feb 2 15:51 dashboard.key -rw-rw-r-- 1 ubuntu ubuntu 1751 Feb 2 15:51 dashboard.pass.key ubuntu@k8s-s1-master:~/certs$ rm dashboard.pass.key ubuntu@k8s-s1-master:~/certs$ openssl req -new -key dashboard.key -out dashboard.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:ONTARIO Locality Name (eg, city) []:OTTAWA Organization Name (eg, company) [Internet Widgits Pty Ltd]:AMDOCS Organizational Unit Name (eg, section) []:R&D Common Name (e.g. server FQDN or YOUR name) []:REZA Email Address []:myname@amdocs.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ubuntu@k8s-s1-master:~/certs$ ll total 16 drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 2 15:53 ./ drwxr-xr-x 8 ubuntu ubuntu 4096 Feb 2 15:48 ../ -rw-rw-r-- 1 ubuntu ubuntu 1037 Feb 2 15:53 dashboard.csr -rw-rw-r-- 1 ubuntu ubuntu 1679 Feb 2 15:51 dashboard.key ubuntu@k8s-s1-master:~/certs$ openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt Signature ok subject=/C=CA/ST=ONTARIO/L=OTTAWA/O=AMDOCS/OU=R&D/CN=REZA/emailAddress=myname@amdocs.com Getting Private key ubuntu@k8s-s1-master:~/certs$ ubuntu@k8s-s1-master:~/certs$ ll total 20 drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 2 15:53 ./ drwxr-xr-x 8 ubuntu ubuntu 4096 Feb 2 15:48 ../ -rw-rw-r-- 1 ubuntu ubuntu 1273 Feb 2 15:53 dashboard.crt -rw-rw-r-- 1 ubuntu ubuntu 1037 Feb 2 15:53 dashboard.csr -rw-rw-r-- 1 ubuntu ubuntu 1679 Feb 2 15:51 dashboard.key ubuntu@k8s-s1-master:~/certs$ ubuntu@k8s-s5-master:~/certs$ kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system secret "kubernetes-dashboard-certs" created ubuntu@k8s-s5-master:~/certs$
2) Install kubernetes dashboard service
ubuntu@k8s-s1-master:~$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml serviceaccount "kubernetes-dashboard" created role "kubernetes-dashboard-minimal" created rolebinding "kubernetes-dashboard-minimal" created deployment "kubernetes-dashboard" created service "kubernetes-dashboard" created ubuntu@k8s-s1-master:~
3) Modify kubernetes dashboard service
ubuntu@k8s-s5-master:~/certs$ kubectl -n kube-system get service kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard ClusterIP 10.108.52.94 <none> 80/TCP 57s ubuntu@k8s-s5-master:~/certs$ ubuntu@k8s-s1-master:~$ kubectl -n kube-system edit service kubernetes-dashboard #Change spec.type from ClusterIP to NodePort and save.
4) Check port on which Dashboard was exposed
ubuntu@k8s-s1-master:~$ kubectl -n kube-system get service kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard NodePort 10.108.52.94 <none> 80:30830/TCP 2h ubuntu@k8s-s1-master:~$ #here it is 30830
5) Navigate to UI via a browser
Use the master node ip address and the exposed port :http://<master-node-ip-address>:<exposed-port>
6) Grant full admin privilages to Dashboard Service Account
The browser does not ask for credentials to login. The default user is "system:serviceaccount:kube-system:kubernetes-dashboard" , which does not have access to the default namespace.
To fix this, create a new "ClusterRoleBinding" and provide privilages to Dashboard Service Account.
Create the following yaml file and deploy it.
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system ~$ kubectl create -f dashboard-admin.yaml clusterrolebinding "kubernetes-dashboard" created ~$
7) Navigate to UI via a browser
You can access the browser , without any credentials.