To sign in to the Kubernetes Dashboard safely, we need to make sure we have the right access control steps in place. This includes having a service account and a bearer token if needed. The Kubernetes Dashboard is easy to use for managing our Kubernetes cluster. But it is very important to have proper authentication to keep our system safe and stop unauthorized access.
In this article, we will help you with the key steps to log in to the
Kubernetes Dashboard. We will talk about what you need before accessing
the dashboard. We will also explain how to set up access control and how
to use kubectl for access. Moreover, we will show how to
create a service account and how to get a bearer token. Here is what we
will talk about:
- How to Sign In to the Kubernetes Dashboard Safely
- What Are the Things We Need to Access the Kubernetes Dashboard
- How to Set Up Access Control for the Kubernetes Dashboard
- How to Use kubectl to Access the Kubernetes Dashboard
- How to Create a Service Account for the Kubernetes Dashboard
- How to Get a Bearer Token for the Kubernetes Dashboard
- Questions People Often Ask
For more details on Kubernetes and its parts, check our article on what are the key parts of a Kubernetes cluster.
What Are the Prerequisites to Access the Kubernetes Dashboard
To access the Kubernetes Dashboard safely, we need to make sure we meet some requirements:
Kubernetes Cluster: We need a working Kubernetes cluster. This can be a local setup with Minikube or a service like AWS EKS, Google GKE, or Azure AKS.
kubectl Installed: We should have
kubectlinstalled and set up to talk to our Kubernetes cluster. We can check this by running:kubectl cluster-infoDashboard Installed: We must deploy the Kubernetes Dashboard in our cluster. If it is not there, we can install it using:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yamlAccess Control: We need to set up access control to use the dashboard safely. This usually means configuring Role-Based Access Control (RBAC) to decide what users can see the Dashboard.
Authentication Method: We should pick an authentication method for signing in. Some common ways are:
- Kubeconfig File: Using kubeconfig for authentication.
- Service Account Token: Making a service account that allows access to the Dashboard.
Network Access: We must make sure we can reach the Dashboard’s URL. If we access the Dashboard through a LoadBalancer or NodePort, we must check that the needed ports are open.
Browser Compatibility: We should use a modern web browser to access the Dashboard. It may not work well in old browsers.
If we meet these requirements, we can set up a safe and working way to access the Kubernetes Dashboard. For more details on setting up Kubernetes and its parts, check out this article on key components of a Kubernetes cluster.
How to Set Up Access Control for the Kubernetes Dashboard
To set up access control for the Kubernetes Dashboard, we use Role-Based Access Control or RBAC. This means we create roles and role bindings. We make sure that only authorized users can access the dashboard. Let’s follow these steps to set up access control.
Create a Role: First, we need to define what permissions our users will have. For example, to create a role that allows access to the dashboard, we can use this YAML configuration:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: kubernetes-dashboard name: dashboard-admin rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch", "create", "update", "delete"]We apply this configuration by using:
kubectl apply -f role.yamlCreate a RoleBinding: Next, we bind the role to a user or a group. Here is an example of a RoleBinding that connects the
dashboard-adminrole to a specific user:apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dashboard-admin-binding namespace: kubernetes-dashboard subjects: - kind: User name: <username> # Replace with your actual username apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: dashboard-admin apiGroup: rbac.authorization.k8s.ioWe save this to a file and apply it with:
kubectl apply -f rolebinding.yamlAccess the Dashboard: After we set up RBAC, we can access the Kubernetes Dashboard securely. We use
kubectl proxyto start a proxy to the Kubernetes API server:kubectl proxyThen we access the dashboard at this link:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.Verify Permissions: We need to check that the user has the right permissions. Log in and try to access the resources we defined in the role.
For more information on how to set up Kubernetes access control, check this guide on implementing RBAC in Kubernetes.
How to Use kubectl to Access the Kubernetes Dashboard
To use the Kubernetes Dashboard with kubectl, we need to
forward the Dashboard service to our local machine. This lets us use the
Dashboard in a web browser. Here are the steps we should follow:
Get the name of the Dashboard service: The default name for the Kubernetes Dashboard service is usually
kubernetes-dashboard. We can check this by running:kubectl get services -n kubernetes-dashboardForward the service port to our local machine: We can use the
kubectl port-forwardcommand to send the Dashboard’s service port (which is usually 443) to a local port, like 8001:kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8001:443Access the Dashboard: Now, we open a web browser and go to:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/Authenticate: We need to log in to access the Dashboard. If we have set up a Service Account with the right permissions, we can use its bearer token to log in.
We should check that our kubectl context is set to the
cluster where we have the Dashboard. For more details on using
kubectl to manage Kubernetes resources, we can look at this
article.
How to Create a Service Account for the Kubernetes Dashboard
We can create a service account for the Kubernetes Dashboard by
making a YAML file. Then we will use kubectl to apply it.
This service account gives us secure access to the dashboard.
- Create a YAML file for the service account. We can
name it
dashboard-service-account.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin-sa
namespace: kubernetes-dashboard- Apply the configuration with this command:
kubectl apply -f dashboard-service-account.yaml- Create a cluster role binding to give the service
account admin rights. We will define another YAML file called
dashboard-admin-rolebinding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin-sa
namespace: kubernetes-dashboard- Apply the role binding:
kubectl apply -f dashboard-admin-rolebinding.yamlAfter we do these steps, the service account
dashboard-admin-sa will be created. It will have
cluster-admin rights. So, it can access the Kubernetes Dashboard.
We must follow best practices for security. We should only give necessary permissions to service accounts. For more information about managing roles, we can check the Kubernetes RBAC documentation.
How to Generate a Bearer Token for the Kubernetes Dashboard
To access the Kubernetes Dashboard safely, we need to create a bearer token. This token helps us log in to the Dashboard. Here is how we can make a bearer token for the Kubernetes Dashboard.
Create a Service Account: First, we create a service account. This account will help us access the Dashboard.
apiVersion: v1 kind: ServiceAccount metadata: name: dashboard-admin-sa namespace: kubernetes-dashboardWe apply the above configuration using this command:
kubectl apply -f service-account.yamlCreate a ClusterRoleBinding: Next, we bind the service account to a cluster role that has the right permissions.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dashboard-admin-sa roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: dashboard-admin-sa namespace: kubernetes-dashboardWe apply this configuration like this:
kubectl apply -f cluster-role-binding.yamlRetrieve the Bearer Token: Now, we can get the token that is created for the service account. We use this command:
kubectl get secret $(kubectl get serviceaccount dashboard-admin-sa -n kubernetes-dashboard -o jsonpath="{.secrets[0].name}") -n kubernetes-dashboard -o jsonpath="{.data.token}" | base64 --decodeUse the Bearer Token: When we log into the Kubernetes Dashboard, we use the bearer token for authentication on the login screen.
This way, we can sign in to the Kubernetes Dashboard safely using a bearer token. For more information about managing the Kubernetes Dashboard, we can check this Kubernetes Dashboard documentation.
Frequently Asked Questions
1. How do I access the Kubernetes Dashboard?
To access the Kubernetes Dashboard, we need to make sure it is
deployed in our cluster. After that, we can use a web browser to reach
it. Depending on how we set it up, we might need to use
kubectl proxy or make the Dashboard service available using
LoadBalancer or NodePort service type. For more steps on how to access
apps in a Kubernetes cluster, check our article on how
to access applications running in a Kubernetes cluster.
2. What authentication methods does the Kubernetes Dashboard support?
The Kubernetes Dashboard supports many ways to log in, like bearer tokens and kubeconfig files. For better security, we should use role-based access control (RBAC) to limit access based on user roles. To learn more about using RBAC in Kubernetes, look at our article on how to implement role-based access control (RBAC) in Kubernetes.
3. Can I use the Kubernetes Dashboard without kubectl?
Even if kubectl is a strong command-line tool for managing Kubernetes clusters, we don’t strictly need to use it to access the Kubernetes Dashboard. But we will need kubectl for some first setup tasks. This includes deploying the Dashboard and creating the right service accounts and roles. For more about managing Kubernetes resources with kubectl, see our article on what is kubectl and how do I use it to manage Kubernetes.
4. How can I create a service account for the Kubernetes Dashboard?
To create a service account for the Kubernetes Dashboard, we can use the command below:
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboardAfter we create the service account, we need to link it to a role that gives the right permissions. This is important for safe access to the Kubernetes Dashboard. For more steps, check our guide on how to create a service account for the Kubernetes Dashboard.
5. How do I secure the Kubernetes Dashboard?
To secure the Kubernetes Dashboard, we need to use role-based access control (RBAC). We should also use secure tokens for login and only show the Dashboard to trusted networks. It is important to follow best practices for Kubernetes security. This includes updating our Dashboard version regularly. For a full view of Kubernetes security best practices, see our article on what are Kubernetes security best practices.