Skip to content

Monitoring

Monitoring

Docker Swarm

Work in progress.

Kubernetes

All clusters have the kubernetes dashboard enabled by default.

NOTE: Do the following procedure from your own machine or VM, not from a shared cluster like lxplus or lxplus-cloud. That would expose your cluster

To access it, start by launching a kube proxy on your host:

$ kubectl proxy
Starting to serve on 127.0.0.1:8001

The dashboard is then accessible by accessing (on your host): http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Instructions on how to get the login token are available here.

As an example (use the token value from the output):

$ kubectl -n kube-system describe secret admin-token-67tq5
Name:         admin-token-67tq5
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=admin
              kubernetes.io/service-account.uid=6f3bfecc-aad1-11e8-bf40-fa163e2e4d25

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi02N3RxNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZmM2JmZWNjLWFhZDEtMTFlOC1iZjQwLWZhMTYzZTJlNGQyNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.f0vwOTlUcjeR0Wr8nxqBysaowRcmipI6s4nHexg2BBKIGUzTiuFP4B3ko9EE4ClBIyRjhhLcOTodCt6J6XSb0XcyD6pFAljwqel6CXJA1sct3n_0zyIP5587E34R4RstQZQBV2lFnTDNm6UZflfaLpBS4cs9uTyGonmj2ZLnvMfHwjBc-JO5rqrk_Y7UDI5WbVB4siIAAbdOabUOowv6oNomDeiDhtr1T32usfxUsVL1_qeLaxwtMsojvcRQprNRSrT3IvHdciSZVdTba6oGwc9yPxZ7kckz-uzzUPirQ2hROMfQcfgLa2RZRFLFi9ZuXzRcJjCjKBXGC1_7LLalA0n0D_k7BoKlRnKdl-0YJUdTd613VjPNozxeiFWipGkyvkZ-1RAJ3SOXk4eNenCx6_H8p9FUZWbSd3c1jQWoOHpUQ99934gHy5J1eYpbU6op3jTBLGxfoL7NP6fXKM_ppk_Mgva7ffL6rYazAxH6XEKVwBtvgY3It15n5ZRkBbPHlMvIhab08UIXrcuXZ8JZ0mj4gJTxJMj2rpVPJ6079x_g_M45M_b3ZzEXPzCoNt5IwdiFkIlo8j2SsCH2KH_V4KK0QZJF2_VS1FO5f_rcHpH_tuPVLkRuQ7-sFXhb3wAWYbFMxaVgh2sSAXvBwOKYxX8Zlu5UIwEnJWY3OtcFfRk
Using traefik ingress

You can also expose kubernetes dashboard through traefik ingress. Using this technique, kubectl proxy won't be needed and you will be able to use all the features provided by traefik such as let's encrypt support. This requires to first follow the steps in the load balancing documentation to setup at least one ingress node.

For the purpose of this tutorial, we will create a new self-signed certificate:

openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt

For production clusters you will have to replace this certificate with your own valid certificate.

Create a secret containing your certificate and key:

kubectl create secret generic dashboard-ingress-cert -n kube-system --from-file=tls.crt --from-file=tls.key

Update the traefik settings to ignore invalid certificates:

kubectl edit daemonsets ingress-traefik -n kube-system

And add --insecureskipverify under spec.template.spec.containers.args. There should already be some options here such as --logLevel=INFO. After that delete all the pods in the daemonset and wait for them to be re-created.

Create a new ingress for kubernetes dashboard using the following definition:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/frontend-entry-points: https
    traefik.ingress.kubernetes.io/protocol: https
spec:
  rules:
  - host: dashboard.mydomain.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
        path: /
  tls:
  - secretName: dashboard-ingress-cert

traefik.ingress.kubernetes.io/frontend-entry-points specifies that the frontend should listen for incoming https traffic. traefik.ingress.kubernetes.io/protocol specify the protocol used to connect to pods when forwarding traffic. In this setup, we use the Host header to route traffic to the right backend. Here, dasboard.mydomain.com should be replaced by the landb alias created during the ingress node setup in load balancing.