Monitoring
Monitoring
Warning
This documentation is deprecated, please check here for its new home
Docker Swarm
Work in progress.
Kubernetes
All clusters have the kubernetes dashboard enabled by default.
NOTE: Do the following procedure from your own machine or VM, not from a shared cluster like lxplus. That would expose your cluster
To access it, start by launching a kube proxy on your host:
$ kubectl proxy
Starting to serve on 127.0.0.1:8001
The dashboard is then accessible by accessing (on your host): http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
It will ask you for a login token that you can get from the admin service account (or by creating another service account).
As an example (use the token value from the output):
$ kubectl -n kube-system describe secret admin-token-67tq5
Name: admin-token-67tq5
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=admin
kubernetes.io/service-account.uid=6f3bfecc-aad1-11e8-bf40-fa163e2e4d25
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi02N3RxNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZmM2JmZWNjLWFhZDEtMTFlOC1iZjQwLWZhMTYzZTJlNGQyNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.f0vwOTlUcjeR0Wr8nxqBysaowRcmipI6s4nHexg2BBKIGUzTiuFP4B3ko9EE4ClBIyRjhhLcOTodCt6J6XSb0XcyD6pFAljwqel6CXJA1sct3n_0zyIP5587E34R4RstQZQBV2lFnTDNm6UZflfaLpBS4cs9uTyGonmj2ZLnvMfHwjBc-JO5rqrk_Y7UDI5WbVB4siIAAbdOabUOowv6oNomDeiDhtr1T32usfxUsVL1_qeLaxwtMsojvcRQprNRSrT3IvHdciSZVdTba6oGwc9yPxZ7kckz-uzzUPirQ2hROMfQcfgLa2RZRFLFi9ZuXzRcJjCjKBXGC1_7LLalA0n0D_k7BoKlRnKdl-0YJUdTd613VjPNozxeiFWipGkyvkZ-1RAJ3SOXk4eNenCx6_H8p9FUZWbSd3c1jQWoOHpUQ99934gHy5J1eYpbU6op3jTBLGxfoL7NP6fXKM_ppk_Mgva7ffL6rYazAxH6XEKVwBtvgY3It15n5ZRkBbPHlMvIhab08UIXrcuXZ8JZ0mj4gJTxJMj2rpVPJ6079x_g_M45M_b3ZzEXPzCoNt5IwdiFkIlo8j2SsCH2KH_V4KK0QZJF2_VS1FO5f_rcHpH_tuPVLkRuQ7-sFXhb3wAWYbFMxaVgh2sSAXvBwOKYxX8Zlu5UIwEnJWY3OtcFfRk
Using traefik ingress
You can also expose kubernetes dashboard through traefik ingress. Using this technique, kubectl proxy won't be needed and you will be able to use all the features provided by traefik such as let's encrypt support. This requires to first follow the steps in the load balancing documentation to setup at least one ingress node.
For the purpose of this tutorial, we will create a new self-signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
For production clusters you will have to replace this certificate with your own valid certificate.
Create a secret containing your certificate and key:
kubectl create secret generic dashboard-ingress-cert -n kube-system --from-file=tls.crt --from-file=tls.key
Update the traefik settings to ignore invalid certificates:
kubectl edit daemonsets ingress-traefik -n kube-system
And add --insecureskipverify under spec.template.spec.containers.args. There should already be some options here such as --logLevel=INFO.
After that delete all the pods in the daemonset and wait for them to be re-created.
Create a new ingress for kubernetes dashboard using the following definition:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/frontend-entry-points: https
traefik.ingress.kubernetes.io/protocol: https
spec:
rules:
- host: dashboard.mydomain.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
path: /
tls:
- secretName: dashboard-ingress-cert
traefik.ingress.kubernetes.io/frontend-entry-points specifies that the frontend should listen for incoming https traffic.
traefik.ingress.kubernetes.io/protocol specify the protocol used to connect to pods when forwarding traffic.
In this setup, we use the Host header to route traffic to the right backend. Here, dashboard.mydomain.com should be replaced by the landb alias created during the ingress node setup in load balancing.