Exposing Kubernetes Dashboard via Ingress

rdyer · March 27, 2019, 2:59pm

I am currently trying to expose the kubernetes dashboard via an internal ingress. I have this working for other services which do not utilize TLS themselves, but am unable to get this to work for the dashboard which has its own self signed cert. Below is what I have configured.

# Kubernetes Dashboard
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: kubernetes-dashboard-disable-mtls
  namespace: kube-system
spec:
  targets:
  - name: kubernetes-dashboard
    ports:
    - number: 443

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  host: kubernetes-dashboard.kube-system.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    kubernetes.io/ingress.class: internal
  name: kubernetes-dashboard-gateway
  namespace: kube-system
spec:
  selector:
    istio: ilbgateway
  servers:
  - hosts:
    - kube-dashboard.domain
    port:
      name: https-kube-dashboard
      number: 443
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  gateways:
  - kubernetes-dashboard-gateway
  hosts:
  - kube-dashboard.domain
  http:
  - route:
    - destination:
        host: kubernetes-dashboard.kube-system.svc.cluster.local
        port:
          number: 443

Is there something about the destination rule I have misconfigured? Also please note I do have mtls enabled and required in the cluster.

Thanks

kenske · May 13, 2019, 8:57pm

I’m currently trying to do this too, did you ever figure it out?

One think I noticed is that automatic sidecar injection is disabled in the kube-system namespace: https://istio.io/help/faq/setup/#k8s-sidecar-injection-not-working

I got around this by doing a manual sidecar injection but I still couldn’t get it to work.

rdyer · May 15, 2019, 1:57pm

No I wasnt able to get it to work. We stopped using istio as an ingress due to multiple issues we were experiencing with it.

kenske · May 23, 2019, 11:19pm

I figured it out. Wrote a blog post about it:

yaakov-berkovitch · April 23, 2020, 10:10am

Did you make it working with Dashboard >= 1.7 ? Because since version 1.7 Dashboard uses more secure setup. It means, that by default it has minimal set of privileges and can only be accessed over HTTPS.
I’m trying to make it working but didn’t succeed.

kenske · April 23, 2020, 5:55pm

Yes, I’m currently running v2.0.0-rc7

Tomas_Kohout · April 26, 2020, 6:26am

I’m curious. Can’t you setup Gateway for https termination and then create a VS and DR so that envoy will use https to dashboard?

exploremanik · September 25, 2020, 6:18am

Hi - Is anyone ever manage to set the kubernetes dashboard through HTTPS. There are few direction to use the TLS Mode: PASSTHROUGH but no clear steps defined.

Topic		Replies	Views
Non able to access non-istio enabled namespace pods Networking	0	458	December 10, 2019
Migrate from Nginx: how to support https -> https without sidecar Networking	0	594	April 20, 2022
Access a HTTPS service through istio ingress gateway	4	912	April 28, 2020
Nginx Ingress Controller with Istio MTLS	9	6488	December 4, 2023
TLS SDS/credentialName not working with Ingress Gateway Security	9	9636	March 15, 2021

Exposing Kubernetes Dashboard via Ingress

Related topics