starlingx/docs
Code Issues Proposed changes
f9d1b4905d
docs/doc/source/security/kubernetes/install-the-kubernetes-dashboard.rst

131 lines
3.9 KiB
ReStructuredText
Raw Normal View History

Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
2020-08-31 11:01:56 -04:00
.. uxg1581955143110
.. _install-the-kubernetes-dashboard:
================================
Install the Kubernetes Dashboard
================================
You can optionally use the Kubernetes Dashboard web interface to perform
cluster management tasks.
.. rubric:: |context|
Kubernetes Dashboard allows you to perform common cluster management tasks
such as deployment, resource allocation, real-time and historic status
review, and troubleshooting.
.. rubric:: |prereq|
You must have **cluster-admin** |RBAC| privileges to install Kubernetes
Dashboard.
.. rubric:: |proc|
.. _install-the-kubernetes-dashboard-steps-azn-yyd-tkb:
#. Create a namespace for the Kubernetes Dashboard.
.. code-block:: none
~(keystone_admin)$ kubectl create namespace kubernetes-dashboard
#. Create a certificate for use by the Kubernetes Dashboard.
.. note::
This example uses a self-signed certificate. In a production
deployment, the use of a using a certificate signed by a trusted
Certificate Authority is strongly recommended.
#. Create a location to store the certificate.
.. code-block:: none
~(keystone_admin)$ cd /home/sysadmin
~(keystone_admin)$ mkdir -p /home/sysadmin/kube/dashboard/certs
#. Create the certificate.
.. code-block:: none
~(keystone_admin)$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /home/sysadmin/kube/dashboard/certs/dashboard.key -out /home/sysadmin/kube/dashboard/certs/dashboard.crt -subj "/CN=<FQDN>"
where:
**<FQDN>**
The fully qualified domain name for the |prod| cluster's OAM floating IP.
#. Create a kubernetes secret for holding the certificate and private key.
.. code-block:: none
~(keystone)admin)]$ kubectl -n kubernetes-dashboard create secret generic kubernetes-dashboard-certs --from-file=tls.crt=/home/sysadmin/kube/dashboard/certs/dashboard.crt --from-file=tls.key=/home/sysadmin/kube/dashboard/certs/dashboard.key
#. Configure the kubernetes-dashboard manifest:
#. Download the recommended.yaml file.
.. code-block:: none
~(keystone_admin)$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
#. Edit the file.
Comment out the auto-generate-certificates argument and add the
tls-cert-file and tls-key-file arguments.
The updates should look like:
.. code-block:: none
...
args:
# - --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --tls-cert-file=/tls.crt
- --tls-key-file=/tls.key
...
#. Apply the kubernetes dashboard recommended.yaml manifest.
.. code-block:: none
~(keystone_admin)$ kubectl apply -f recommended.yaml
#. Patch the kubernetes dashboard service to type=NodePort and port=30000.
.. code-block:: none
~(keystone_admin)$ kubectl patch service kubernetes-dashboard -n kubernetes-dashboard -p '{"spec":{"type":"NodePort","ports":[{"port":443, "nodePort":30000}]}}'
#. Test the Kubernetes Dashboard deployment.
The Kubernetes Dashboard is listening at port 30000 on the machine
defined above for |prod| cluster's OAM floating IP.
#. Access the dashboard at https://<fqdn>:30000
Because the certificate created earlier in this procedure was not
signed by a trusted |CA|, you will need to acknowledge an insecure
connection from the browser.
#. Select the **Kubeconfig** option for signing in to the Kubernetes
Dashboard. Note that typically your kubeconfig file on a remote host is
located at $HOME/.kube/config . You may have to copy it to somewhere
more accessible.
You are presented with the Kubernetes Dashboard for the current context
\(cluster, user and credentials\) specified in the kubeconfig file.
Copy Permalink