Kubernetes Dashboard Instalaation
The Kubernetes Dashboard is the official web-based user interface for Kubernetes clúster management. Esta guía cubre deploying the dashboard, creating admin users and servicio accounts, authenticating with tokens, implementing RBAC, and securing access via proxy or ingreso on your VPS and baremetal Kubernetes infrastructure.
Tabla de contenidos
- Dashboard Overview
- Instalaation Methods
- User Authentication
- RBAC Configuration
- Secure Access
- Dashboard Usage
- Practical Examples
- Conclusion
Dashboard Overview
What is Kubernetes Dashboard?
The Kubernetes Dashboard is:
- Official Kubernetes web UI
- Built-in management interface
- Container and pod management
- Resource monitoreo
- Logs and event viewing
Features
- Cluster overview
- Pod and implementación management
- Service and ingreso configuration
- Node and resource monitoreo
- Log viewing
- Resource creation via UI
Kubernetes Versions
Dashboard version compatibility varies. Latest versions support:
- Kubernetes 1.20+
- Recommended versions track closely with Kubernetes releases
Instalación Methods
Official Helm Chart Instalaation
# Add Helm repository
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm repo update
# Install Dashboard
helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard \
-n kubernetes-dashboard \
--create-namespace
Manual kubectl Deployment
Instala from official manifest:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
Verifica Instalaation
# Check dashboard pods
kubectl get pods -n kubernetes-dashboard
# Check services
kubectl get svc -n kubernetes-dashboard
Custom Instalaation with Values
# dashboard-values.yaml
replicaCount: 2
image:
repository: kubernetesui/dashboard
tag: v2.7.0
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 443
targetPort: 8443
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- dashboard.example.com
tls:
- secretName: dashboard-tls
hosts:
- dashboard.example.com
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
Instala with custom values:
helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard \
-n kubernetes-dashboard \
--create-namespace \
-f dashboard-values.yaml
User Authentication
Creating Admin User
Create servicio account for dashboard admin:
# Create service account
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
# Create cluster role binding
kubectl create clusterrolebinding dashboard-admin \
--clusterrole=cluster-admin \
--serviceaccount=kubernetes-dashboard:dashboard-admin
Getting Access Token
# Get token for admin user
kubectl -n kubernetes-dashboard create token dashboard-admin
# Or for long-lived token (v1.20 and earlier):
kubectl -n kubernetes-dashboard get secret \
$(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin-token | awk '{print $1}') \
-o jsonpath='{.data.token}' | base64 --decode
Creating Limited User
For read-only access:
# Create service account
kubectl create serviceaccount dashboard-viewer -n kubernetes-dashboard
# Create cluster role for view-only access
kubectl create clusterrole dashboard-viewer \
--verb=get,list,watch \
--resource=pods,services,deployments
# Bind role to service account
kubectl create clusterrolebinding dashboard-viewer \
--clusterrole=dashboard-viewer \
--serviceaccount=kubernetes-dashboard:dashboard-viewer
# Get token
kubectl -n kubernetes-dashboard create token dashboard-viewer
Namespace-Scoped Access
For access to specific espacio de nombres only:
# Create service account in specific namespace
kubectl create serviceaccount dashboard-user -n production
# Create role for the namespace
kubectl create role dashboard-user \
--verb=get,list,watch \
--resource=pods,services,deployments \
-n production
# Bind role to service account
kubectl create rolebinding dashboard-user \
--role=dashboard-user \
--serviceaccount=production:dashboard-user \
-n production
# Get token
kubectl -n production create token dashboard-user
Configuración de RBAC
Dashboard Admin Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-admin
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
Bind role:
kubectl create clusterrolebinding dashboard-admin-binding \
--clusterrole=dashboard-admin \
--serviceaccount=kubernetes-dashboard:dashboard-admin
Read-Only Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-readonly
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumes
- pods
- replicationcontrollers
- replicationcontrollers/scale
- services
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: ["get", "list", "watch"]
Secure Access
Port Forwarding
# Forward local port to dashboard
kubectl port-forward -n kubernetes-dashboard svc/kubernetes-dashboard 8443:443
# Access: https://localhost:8443
# Accept self-signed certificate warning
Kubectl Proxy
# Start proxy
kubectl proxy
# Access dashboard:
# http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Ingress with TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard
namespace: kubernetes-dashboard
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
ingressClassName: nginx
tls:
- hosts:
- dashboard.example.com
secretName: dashboard-tls
rules:
- host: dashboard.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
Apply ingreso:
kubectl apply -f ingress.yaml
OIDC Authentication
Configura OIDC for external authentication (requires additional setup):
# Requires Kubernetes API server configuration
# Add to kube-apiserver:
# - --oidc-issuer-url=https://auth.example.com
# - --oidc-client-id=kubernetes
# - --oidc-username-claim=email
# - --oidc-groups-claim=groups
Dashboard Usage
Accessing Dashboard
# Get accessible URL
kubectl port-forward -n kubernetes-dashboard svc/kubernetes-dashboard 8443:443 &
# Or via proxy
kubectl proxy &
echo "Dashboard URL:"
echo "https://localhost:8443"
echo "or"
echo "http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/"
Logging In
- Open dashboard URL
- Select "Token" authentication
- Paste token from kubectl command
- Click "Sign in"
Common Dashboard Tasks
View Cluster Overview:
- Cluster → Nodes: View node status and resources
- Cluster → Namespaces: View all espacio de nombress
Manage Workloads:
- Workloads → Pods: Create, view, delete pods
- Workloads → Deployments: Manage implementacións
- Workloads → StatefulSets: Manage stateful applications
- Workloads → Jobs: View batch jobs
Configura Storage:
- Storage → PersistentVolumes: View available volumens
- Storage → PersistentVolumeClaims: Crea unnd manage claims
- Storage → StorageClasses: View almacenamiento options
View Logs:
- Select pod → Logs tab
- Filter contenedors and date range
Practical Examples
Ejemplo: Production Dashboard Setup
---
# Service account for admin
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
---
# Admin role binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
---
# Viewer service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-viewer
namespace: kubernetes-dashboard
---
# Viewer role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-viewer
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "namespaces", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch"]
---
# Bind viewer role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dashboard-viewer
subjects:
- kind: ServiceAccount
name: dashboard-viewer
namespace: kubernetes-dashboard
---
# Ingress for HTTPS access
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard
namespace: kubernetes-dashboard
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- dashboard.example.com
secretName: dashboard-tls
rules:
- host: dashboard.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
Ejemplo: Token Rotation Script
#!/bin/bash
NAMESPACE="kubernetes-dashboard"
SERVICE_ACCOUNT="dashboard-admin"
echo "=== Dashboard Admin Token ==="
kubectl -n $NAMESPACE create token $SERVICE_ACCOUNT
echo ""
echo "=== Token Valid For ==="
kubectl -n $NAMESPACE describe token $SERVICE_ACCOUNT 2>/dev/null || echo "Use: kubectl -n $NAMESPACE create token $SERVICE_ACCOUNT"
echo ""
echo "=== Access Dashboard ==="
echo "1. Port forward: kubectl port-forward -n kubernetes-dashboard svc/kubernetes-dashboard 8443:443"
echo "2. Access: https://localhost:8443"
echo "3. Paste token above in authentication dialog"
Conclusión
The Kubernetes Dashboard provides an accessible web interface for managing Kubernetes clústers. By properly securing it with RBAC, using strong authentication, and deploying it behind TLS-encrypted ingreso, you create a user-friendly management interface for your VPS and baremetal infrastructure. Start with admin access for setup and testing, then create role-based accounts for team members. Combine dashboard access with kubectl-based automation for a complete Kubernetes management strategy. Remember that dashboard access should be carefully controlled and monitored for production environments.