How to access/expose kubernetes-dashboard service outside of a cluster?

Question

I have got the following services:

ubuntu@master:~$ kubectl get services --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
default       kubernetes             100.64.0.1      <none>        443/TCP         48m
kube-system   kube-dns               100.64.0.10     <none>        53/UDP,53/TCP   47m
kube-system   kubernetes-dashboard   100.70.83.136   <nodes>       80/TCP          47m

I am attempting to access kubernetes dashboard. The following response seems reasonable, taking into account curl is not a browser.

ubuntu@master:~$ curl 100.70.83.136
 <!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title>Kubernetes Dashboard</title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.36bb79bb.css"> <link rel="stylesheet" href="static/app.d2318302.css"> </head> <body> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-chrome layout="column" layout-fill> </kd-chrome> <script src="static/vendor.633c6c7a.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.9ed974b1.js"></script> </body> </html> 

According to the documentation the right access point is https://localhost/ui. So, I am trying it and receive a bit worrying result. Is it expected response?

ubuntu@master:~$ curl https://localhost/ui
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Trying the same without certificate validation. For curl it might be OK. but I have got the same in a browser, which is connecting though port forwarding via vagrant forwarded_port option.

ubuntu@master:~$ curl -k https://localhost/ui
Unauthorized

What I am doing wrong? and how to make sure I can access the UI? Currently it responds with Unauthorized.

The docs for the dashboard tell the password is in the configuration:

ubuntu@master:~$ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

but it seems I have got nothing... Is it expected behavior? How can I authorize with the UI?

question from:https://stackoverflow.com/questions/39864385/how-to-access-expose-kubernetes-dashboard-service-outside-of-a-cluster

Answer 1

The offical wiki is a little bit confusing so I reordered it here:

If you use the recommended yaml to deploy the dashboard, you should only access your dashboard by https, and you should generate your certs, refer to guide. Then you can run kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' to visit the dashboard on "http://localhost:8001/ui". This page needs to use a token to login. To generate it, refer to this page. Also you can add NodePort to your yaml and access it using <nodeip>:<port>.

If you deploy using the http alternative method, you can only access your dashboard by nodeip:port. Remember to add it to yaml first!! After deployment, you should also generate your token and add header Authorization: Bearer <token> for every request.

I think this can help you and others who want to use kube-dashboard.