Skip to content

Kubernetes Dashboard Plugin

The Kubernetes Dashboard Plugin is a web-based, user interface tool designed to manage and visualize a Kubernetes cluster and its applications.^[04.dashboard插件及k8s实战交付.md] It allows users to deploy containerized applications, troubleshoot them, and manage the cluster itself without accessing the master node via the command line.^[04.dashboard插件及k8s实战交付.md]

Deployment and Architecture

The general workflow for deploying services like the Dashboard involves preparing container images, creating resource manifests, resolving domain names, and applying the configurations.^[04.dashboard插件及k8s实战交付.md]

The Dashboard is typically deployed within the kube-system namespace.^[04.dashboard插件及k8s实战交付.md] The resource manifests include:

  • Deployment (dp.yaml): Defines the Dashboard Pod, often using a priority class of system-cluster-critical and setting resource limits (e.g., 100m CPU, 300Mi memory).^[04.dashboard插件及k8s实战交付.md]
  • Service (svc.yaml): Exposes the Dashboard, typically mapping port 443 to the container port 8443.^[04.dashboard插件及k8s实战交付.md]
  • Ingress (ingress.yaml): Configures external access, often via traefik, using a hostname like dashboard.od.com.^[04.dashboard插件及k8s实战交付.md]
  • RBAC (rbac.yaml): Defines the permissions required for the Dashboard to operate.^[04.dashboard插件及k8s实战交付.md]

To enable secure HTTPS access, an Nginx proxy (often on a node like hdss7-11) can be configured with valid SSL certificates for the dashboard domain, redirecting HTTP traffic to HTTPS.^[04.dashboard插件及k8s实战交付.md]

Authentication and Authorization

The Dashboard supports different versions with varying authentication behaviors, controlled by ServiceAccounts and Role-Based Access Control (RBAC).

Versions and Access Control

  • Version 1.8.3: By default, this version may allow access to skip login and enter with full administrative privileges if configured with cluster-admin permissions, which poses security risks.^[04.dashboard插件及k8s实战交付.md]
  • Version 1.10.1: This version enforces mandatory login via bearer tokens.^[04.dashboard插件及k8s实战交付.md]

Authorization Models

The permissions granted to users depend on the ServiceAccount configured in the Dashboard Deployment and the associated RBAC roles:

  1. Administrator Access:

    • Uses a ServiceAccount such as kubernetes-dashboard-admin bound to the cluster-admin ClusterRole.^[04.dashboard插件及k8s实战交付.md]
    • The login token is retrieved from the secret associated with the admin ServiceAccount (e.g., kubectl describe secret kubernetes-dashboard-admin-token-...).^[04.dashboard插件及k8s实战交付.md]
    • Grants full control over the cluster.

  2. Read-Only / Minimal Access:

    • Uses a ServiceAccount such as kubernetes-dashboard bound to a custom ClusterRole like dashboard-viewonly.^[04.dashboard插件及k8s实战交付.md]
    • The dashboard-viewonly role explicitly lists verbs (get, list, watch) for specific resources (pods, deployments, services, etc.) and restricts modification actions.^[04.dashboard插件及k8s实战交付.md]
    • Users logging in with this token can view cluster Metrics but cannot make changes.

In a production environment, it is recommended to enforce token-based login and restrict users to their specific namespaces or read-only roles, rather than granting default admin privileges.^[04.dashboard插件及k8s实战交付.md]

Monitoring Integration (Heapster)

The Dashboard can be integrated with Heapster, a Metrics collection plugin, to enable the visualization of resource usage graphs and Metrics within the UI.^[04.dashboard插件及k8s实战交付.md] Heapster is deployed as a separate service (often on port 8082) that scrapes Metrics from the Kubernetes API.^[04.dashboard插件及k8s实战交付.md] Note that this integration is optional and may be skipped if data accuracy is a concern or if alternative monitoring solutions are used.^[04.dashboard插件及k8s实战交付.md]

Sources

  • 04.dashboard插件及k8s实战交付.md