Exposing Kubernetes Dashboard via Ingress

I am currently trying to expose the kubernetes dashboard via an internal ingress. I have this working for other services which do not utilize TLS themselves, but am unable to get this to work for the dashboard which has its own self signed cert. Below is what I have configured.

# Kubernetes Dashboard
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: kubernetes-dashboard-disable-mtls
  namespace: kube-system
spec:
  targets:
  - name: kubernetes-dashboard
    ports:
    - number: 443

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  host: kubernetes-dashboard.kube-system.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    kubernetes.io/ingress.class: internal
  name: kubernetes-dashboard-gateway
  namespace: kube-system
spec:
  selector:
    istio: ilbgateway
  servers:
  - hosts:
    - kube-dashboard.domain
    port:
      name: https-kube-dashboard
      number: 443
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  gateways:
  - kubernetes-dashboard-gateway
  hosts:
  - kube-dashboard.domain
  http:
  - route:
    - destination:
        host: kubernetes-dashboard.kube-system.svc.cluster.local
        port:
          number: 443

Is there something about the destination rule I have misconfigured? Also please note I do have mtls enabled and required in the cluster.

Thanks

I’m currently trying to do this too, did you ever figure it out?

One think I noticed is that automatic sidecar injection is disabled in the kube-system namespace: https://istio.io/help/faq/setup/#k8s-sidecar-injection-not-working

I got around this by doing a manual sidecar injection but I still couldn’t get it to work.

No I wasnt able to get it to work. We stopped using istio as an ingress due to multiple issues we were experiencing with it.

I figured it out. Wrote a blog post about it: