From db5f83f8c9eb81fc2a584e5158ba91c4324275c2 Mon Sep 17 00:00:00 2001 From: Joel Seguillon Date: Wed, 29 Apr 2020 16:20:25 +0200 Subject: [PATCH] update dashboard access doc for 2.0.x (#6036) * update dashboard access doc for 2.0.x * make metrics scrapper system-cluster-critical --- docs/getting-started.md | 27 ++++++++++++------- .../ansible/templates/dashboard.yml.j2 | 1 + 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index 395dde827..8dd606710 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -93,20 +93,29 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati ## Accessing Kubernetes Dashboard -As of kubernetes-dashboard v1.7.x: +Supported version is kubernetes-dashboard v2.0.x : -- New login options that use apiserver auth proxying of token/basic/kubeconfig by default -- Requires RBAC in authorization\_modes +- Login options are : token/kubeconfig by default, basic can be enabled with `kube_basic_auth: true` inventory variable - not recommended because this requires ABAC api-server which is not tested by kubespray team +- Deployed by default in "kube-system" namespace, can be overriden with `dashboard_namespace: kubernetes-dashboard` in inventory, - Only serves over https -- No longer available at until apiserver is updated with the https proxy URL -If the variable `dashboard_enabled` is set (default is true), then you can access the Kubernetes Dashboard at the following URL, You will be prompted for credentials: - +Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/1.7.x-and-above.md). With kubespray's default deployment in kube-system namespace, instead of kuberntes-dashboard : -Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: - +- Proxy URL is +- kubectl commands must be run with "-n kube-system" -It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: +Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy --address="x.x.x.x"` will not work) + +For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace. + +Access can also by achieved via ssh tunnel on a master : + +```bash +# localhost:8081 will be sent to master-1's own localhost:8081 +ssh -L8001:localhost:8001 user@master-1 +sudo -i +kubectl proxy +``` ## Accessing Kubernetes API diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index aafa87dcc..76729eecc 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -282,6 +282,7 @@ spec: labels: k8s-app: kubernetes-metrics-scraper spec: + priorityClassName: system-cluster-critical containers: - name: kubernetes-metrics-scraper image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}