kubernetes-dashboard¶
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
TL;DR¶
# Add kubernetes-dashboard repository
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
# Deploy a Helm Release named "my-release" using the kubernetes-dashboard chart
helm install kubernetes-dashboard/kubernetes-dashboard --name my-release
Introduction¶
This chart bootstraps a Kubernetes Dashboard deployment on a Kubernetes cluster using the Helm package manager.
Installing the Chart¶
To install the chart with the release name my-release:
helm repository add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm install kubernetes-dashboard/kubernetes-dashboard --name my-release
The command deploys kubernetes-dashboard on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Uninstalling the Chart¶
To uninstall/delete the my-release deployment:
helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
Upgrading an existing Release to a new major version¶
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions.
Upgrade from 1.x.x to 2.x.x¶
Version 2.0.0 of this chart is the first version hosted in the kubernetes/dashboard.git repository. v1.x.x until 1.10.1 is hosted on https://github.com/helm/charts.
- This version upgrades to kubernetes-dashboard v2.0.0 along with changes in RBAC management: all secrets are explicitely created and ServiceAccount do not have permission to create any secret. On top of that, it completely removes the
clusterAdminRoleparameter, being too dangerous. In order to upgrade, please update your configuration to removeclusterAdminRoleparameter and uninstall/reinstall the chart. - It enables by default values for
podAnnotationsandsecurityContext, please disable them if you don't supoprt them - It removes
enableSkipLoginandenableInsecureLoginparameters. Please useextraEnvinstead. - It adds a
ProtocolHttpparameter, allowing you to switch the backend to plain HTTP and replaces the oldenableSkipLoginfor the network part. - If
protocolHttpis not set, it will automatically add to theIngress, if enabled, annotations to support HTTPS backends for nginx-ingress and GKE Ingresses. - It updates all the labels to the new recommended labels, most of them being immutable.
- dashboardContainerSecurityContext has been renamed to containerSecurityContext.
In order to upgrade, please update your configuration to remove clusterAdminRole parameter and adapt enableSkipLogin, enableInsecureLogin, podAnnotations and securityContext parameters, and uninstall/reinstall the chart.
Access control¶
It is critical for the Kubernetes cluster to correctly setup access control of Kubernetes Dashboard. See this guide for best practises.
It is highly recommended to use RBAC with minimal privileges needed for Dashboard to run.
Configuration¶
The following table lists the configurable parameters of the kubernetes-dashboard chart and their default values.
| Parameter | Description | Default |
|---|---|---|
image.repository |
Repository for container image | kubernetesui/dashboard |
image.tag |
Image tag | v2.0.1 |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.pullSecrets |
Image pull secrets | [] |
replicaCount |
Number of replicas | 1 |
annotations |
Annotations for deployment | {} |
labels |
Labels for deployment | {} |
extraArgs |
Additional container arguments | [] |
extraEnv |
Additional container environment variables | [] |
podAnnotations |
Annotations to be added to pods | seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'} |
nodeSelector |
node labels for pod assignment | {} |
tolerations |
List of node taints to tolerate (requires Kubernetes >= 1.6) | [] |
affinity |
Affinity for pod assignment | [] |
priorityClassName |
Name of Priority Class to assign pods | nil |
resources |
Pod resource requests & limits | limits: {cpu: 2, memory: 100Mi}, requests: {cpu: 100m, memory: 100Mi} |
protocolHttp |
Serve application over HTTP without TLS | false |
service.type |
Service type | ClusterIP |
service.externalPort |
Dashboard external port | 443 |
service.loadBalancerSourceRanges |
list of IP CIDRs allowed access to load balancer (if supported) | nil |
ingress.annotations |
Specify ingress class | kubernetes.io/ingress.class: nginx |
ingress.labels |
Add custom labels | [] |
ingress.enabled |
Enable ingress controller resource | false |
ingress.paths |
Paths to match against incoming requests. Both / and /* are required to work on gce ingress. |
[/] |
ingress.hosts |
Dashboard Hostnames | nil |
ingress.tls |
Ingress TLS configuration | [] |
metricsScraper.enabled |
Wether to enable dashboard-metrics-scraper | false |
metricsScraper.image.repository |
Repository for metrics-scraper image | kubernetesui/metrics-scraper |
metricsScraper.image.tag |
Repository for metrics-scraper image tag | v1.0.4 |
metricsScraper.containerSecurityContext |
SecurityContext for the kubernetes dashboard metrics scraper container | {allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001} |
metrics-server.enabled |
Wether to enable metrics-server | false |
rbac.create |
Create & use RBAC resources | true |
rbac.clusterRoleMetrics |
If set, an additional cluster role / role binding will be created to access metrics. | true |
rbac.clusterReadOnlyRole |
If set, an additional cluster role / role binding will be created with read only permissions to all resources listed inside. | false |
serviceAccount.create |
Whether a new service account name that the agent will use should be created. | true |
serviceAccount.name |
Service account to be used. If not set and serviceAccount.create is true a name is generated using the fullname template. |
|
livenessProbe.initialDelaySeconds |
Number of seconds to wait before sending first probe | 30 |
livenessProbe.timeoutSeconds |
Number of seconds to wait for probe response | 30 |
podDisruptionBudget.enabled |
Create a PodDisruptionBudget | false |
podDisruptionBudget.minAvailable |
Minimum available instances; ignored if there is no PodDisruptionBudget | |
podDisruptionBudget.maxUnavailable |
Maximum unavailable instances; ignored if there is no PodDisruptionBudget | |
securityContext |
PodSecurityContext for pod level securityContext | nil |
containerSecurityContext |
SecurityContext for the kubernetes dashboard container | {allowPrivilegeEscalation:false, readOnlyRootFilesystem: true, runAsUser: 1001, runAsGroup: 2001} |
networkPolicy.enabled |
Whether to create a network policy that allows access to the service | false |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
helm install kubernetes-dashboard/kubernetes-dashboard --name my-release \
--set=service.externalPort=8080,resources.limits.cpu=200m
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
helm install kubernetes-dashboard/kubernetes-dashboard --name my-release -f values.yaml
Tip: You can use the default values.yaml, which is used by default, as reference
Using the dashboard with 'kubectl proxy'¶
When running 'kubectl proxy', the address localhost:8001/ui automatically expands to:
http://localhost:8001/api/v1/namespaces/my-namespace/services/https:kubernetes-dashboard:https/proxy/
For this to reach the dashboard, the name of the service must be 'kubernetes-dashboard', not any other value as set by Helm. You can manually specify this using the value 'fullnameOverride':
fullnameOverride: 'kubernetes-dashboard'