Introduction

Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself, by running commands.

With Kubernetes Dashboard, you can:

• Deploy containerized applications to a Kubernetes cluster.
• Diagnose containerized application problems.
• Manage cluster resources.
• View applications running in a cluster.
• Create and modify Kubernetes resources (such as Deployments, jobs, and DaemonSets).
• Check errors that occur in a cluster.

For example, you can scale a Deployment, perform a rolling update, restart a pod, or deploy a new application.

Open source community: https://github.com/kubernetes/dashboard

The dashboard add-on in CCE has been upgraded to the latest version and is free of the Kubernetes Dashboard vulnerability CVE-2018-18264.

For details about security vulnerability CVE-2018-18264, see the following articles:

• https://github.com/kubernetes/dashboard/pull/3289
• https://github.com/kubernetes/dashboard/pull/3400
• https://github.com/kubernetes/dashboard/releases/tag/v1.10.1

Installing the Add-on

1. Log in to the CCE console. In the navigation pane, choose Add-ons. On the Add-on Marketplace tab page, click Install Add-on under dashboard.
2. On the Install Add-on page, select the cluster and the add-on version, and click Next: Configuration.
3. On the Configuration page, configure the following parameters:
   • Certificate Configuration: Configure a certificate for the dashboard.
     • By default, Manually upload certificate is selected.
       • Certificate File: Click to view the example certificate file.
       • Private Key: Click to view the example private key.
     • If Manually upload certificate is deselected, you do not need to upload a certificate.
       

       The default certificate generated by the dashboard is invalid, which affects the normal access to the dashboard through a browser. You are advised to manually upload a valid certificate so that the browser can verify your access and secure your connection.

   • Access Type: Two access types are available:
     • NodePort
       • EIP: If no EIP is bound to the cluster, click here to bind one and click the refresh icon.

         The dashboard add-on is accessed in the NodePort mode by default and can be used only if any node in the cluster has an EIP.

     • LoadBalancer (ELB)
       • Elastic Load Balancer: If LoadBalancer (ELB) is selected, an ELB load balancer must be selected. If no load balancer is available, create a shared load balancer and click the refresh icon.
         

         Make sure that the load balancer you select or create is in the same VPC as the cluster and routes requests over the Internet.

       • Port Settings: mandatory if the access type is LoadBalancer (ELB).
         • Protocol: defaults to TCP.
         • Container Port: defaults to 8443.
         • Access Port: port mapped to the container port at the load balancer's IP address. The workload can be accessed at <Load balancer's IP address>:<Access port>. The port number range is 1–65535.

4. Click Install.

   After the add-on is installed, click Go Back to Previous Page. On the Add-on Instance tab page, select the corresponding cluster to view the running instance. This indicates that the add-on has been installed on each node in the cluster.

Follow-up Operations

Once dashboard is installed, perform the following steps to prepare it for use.

1. Obtain an authentication token.

   Choose Add-ons > Add-on Instance > dashboard to obtain an authentication token.

2. Access the dashboard add-on.

   Choose Add-ons > Add-on Instance > dashboard, click the link next to Access Address, and log in to the dashboard using the token.

Accessing the dashboard Add-on

The dashboard add-on can be accessed when it is in the Running state. Perform the following steps to access this add-on:

1. Log in to the CCE console. In the navigation pane, choose Add-ons. On the Add-on Instance tab page, check that the dashboard add-on is in the Running state and click the add-on name to view its details.
2. On the Description tab page, click in the Obtain a default token area to copy the default token value.
   Figure 1 Copying a token
   

3. Click the hyperlink next to Access Address to open the Kubernetes dashboard login page.
   

   If the "ERR_CERT_INVALID" error occurs when you use the Google Chrome browser to open the dashboard login page, fix the error according to Troubleshooting Access Problems.

   Figure 2 Access address
   

4. On the dashboard login page, select Token, paste the copied token, and click SIGN IN.
   

   By default, this add-on does not support login using kubeconfig authenticated by certificate. You are advised to use the token mode for login. For details, see https://github.com/kubernetes/dashboard/issues/2474#issuecomment-348912376.

   Figure 3 Token login
   

5. View the dashboard page as shown in Figure 4.
   Figure 4 Dashboard page
   

Modifying Permissions

After the dashboard is installed, the initial role can only view a majority of resources that are displayed on the dashboard. To apply for the permissions to perform other operations on the dashboard, you need to modify RBAC authorization resources in the background.

Procedure

Modify the kubernetes-dashboard-minimal rule in the ClusterRole.

For details about how to use RBAC authorization, visit https://kubernetes.io/docs/reference/access-authn-authz/rbac/.

Upgrading the Add-on

1. Log in to the CCE console. In the navigation pane, choose Add-ons. On the Add-on Instance tab page, click Upgrade under dashboard.
   

   • If the Upgrade button is unavailable, the current add-on is already up-to-date and no upgrade is required.
   • If the Upgrade button is available, click Upgrade to upgrade the dashboard to the latest version.
   • When the upgrade is complete, the original version on cluster nodes will be replaced by the latest version.

2. In the dialog box that is displayed, click OK to upgrade the add-on. For details about the parameters, see the parameter description in Installing the Add-on.

Uninstalling the Add-on

1. Log in to the CCE console. In the navigation pane, choose Add-ons. On the Add-on Instance tab page, click Uninstall under dashboard.
2. In the dialog box displayed, click Yes to uninstall the add-on.

Troubleshooting Access Problems

When Google Chrome is used to access the dashboard, the error message "ERR_CERT_INVALID", instead of the login page, is displayed. The possible cause is that the default certificate generated by the dashboard does not pass Google Chrome verification. There are two solutions to this problem:

Figure 5 Error message displayed on Google Chrome

• Solution 1: Use the Firefox browser to access the dashboard. In the Exceptions area of the Proxy Settings page, add the dashboard address to the addresses that will bypass the proxy server. Then, the dashboard login page will be displayed.

• Solution 2: Start Google Chrome with the --ignore-certificate-errors flag to ignore the certificate error.

  Windows: Save the dashboard address. Close all active Google Chrome windows. Press the Windows key + R to display the Run dialog box. Enter chrome --ignore-certificate-errors in the Run dialog box to open a new Google Chrome window. In the address bar, enter the dashboard address to open the login page.