Getting Started with Kubernetes

Welcome to Kubernetes! This guide helps new users set up clusters, access the dashboard, and stay secure, such as:

1. Getting Started:
   • Ensure you have subscribed to the trial, signed the quote, and received cluster provisioning confirmation
   • Install the Kubectl client and download the Kubernetes configuration file
2. Setting Up Dashboard:
   • Download the configuration file
   • Install the dashboard on a Kubernetes cluster
3. Accessing Dashboard:
   • Create a ServiceAccount “admin-user”
   • Generate a token and log in to the dashboard
4. Security Considerations:
   • Do not expose the dashboard publicly
   • Use limited RBAC rules to minimize risks

Dive into the details below to uncover more about the steps outlined above!

Getting started with Kubernetes cluster

1. Before getting started, ensure you have already done the following:
   • Subscribed to our trial
   • Signed the quote associated with the trial
   • Received the confirmation that your cluster was provisioned

2. You need to have the Kubectl client installed. You can follow the instructions here to install it:
   https://kubernetes.io/docs/tasks/tools/#kubectl
   • You can verify with the command kubectl version to make sure the kubectl client works.  

3. Log in to the Leaseweb Customer Portal, and on the left panel, select Kubernetes

4. On the Clusters page, you will then be able to see your existing pre-provisioned clusters

5. Under the ACTIONS field, click the Download kubeconfig link in order to download your KubeConfig
   • Download and save this file to $HOME/.kube/config in order to be discovered by the kubectl command line.

6. Once you have downloaded your Kubernetes configuration at the right place, you should be good to go
   • You can follow this documentation to get your application up and running. 
     https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/ 

How to set up the Kubernetes dashboard

Using “kubectl apply”

Download the configuration and save as “config.yml”

1. In the Leaseweb Customer Portal, under the Kubernetes section, the existing clusters are visible:

2. Under the ACTIONS field, click the Download kubeconfig link in order to download the yaml file:

3. Save it as config.yml in the current working directory.

Install the dashboard on a Kubernetes cluster

1. Once the configuration is saved as “config.yml”, This command can be used to set up the dashboard on a Kubernetes cluster:

kubectl --kubeconfig config.yml create -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

2. If everything is fine, the following command will show the newly created pods:

kubectl --kubeconfig config.yml -n kubernetes-dashboard get pods
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-5cb4f4bb9c-qqb4p   1/1     Running   0          4m49s
kubernetes-dashboard-6967859bff-knjss        1/1     Running   0          4m50s

3. It means the dashboard is now hosted on the cluster. In order to access it, a user needs to be put in place. See the next steps below.

Generate a new user to access the Kubernetes dashboard 

In order to do so, we will need to create a ServiceAccount “admin-user” that will have the necessary access. Permission will be assigned by defining a ClusterRoleBinding giving this account admin authorization on the cluster.

1. To create the account, save the following content in a file named dashboard‑serviceaccount.yml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

2. Then the following command can be used to create the new user:

kubectl --kubeconfig config.yml create -f dashboard‑serviceaccount.yml
serviceaccount/admin-user created

3. A “token” will be required in order to be able to login to the dashboard, it can be generated using the following command:

kubectl --kubeconfig config.yml -n kubernetes-dashboard create token admin-user
eyJhbGciOiJSUzI1NiIsImtp...

Accessing the Kubernetes Dashboard

1. The following command can be used to access to proxy the dashboard to a browser:

kubectl --kubeconfig config.yml -n kubernetes-dashboard port-forward service/kubernetes-dashboard 8443:443
Forwarding from 127.0.0.1:8443 -> 8443
Forwarding from [::1]:8443 -> 8443

2. This page will appear when loading the page at the address https://localhost:8443/ in a browser

3. Please select “Token” and copy-paste the token generated in the section Generate a new user to access the Kubernetes dashboard
4. The browser will now be logged in the dashboard.

5. You can now “take the Dashboard Tour”. On the “namespace” combo box on the top menu, one can select the “kubernetes-dashboard” namespace.

6. The Pods associated to the newly created service will be visible in that namespace, such as below:

Considerations

Installing via helm

A common way to install Kubernetes services is to use a “Helm Chart” in order to configure the service.
The instructions are available on how to install with Kubernetes-dashboard helm chart.

Helm has many advantages, but the most interesting one is that it allows to customize deployments according to a set of pre-defined variables that will allow you to configure the dashboard as you wish.

Once installed, the instructions from how to Generate a new user to access the Kubernetes dashboard can be used to generate a token and accessing the dashboard.

The final dashboard can be accessed using kubectl proxy as stated in the helm chart documentation

Access Control

For the sake of simplicity, here we have generated a token that has cluster-admin Role … meaning that anyone having access to this token may be able to do more than it was intended to do, including destructive actions.
If the token falls into the wrong hand, the cluster will be at risk.
Please take the time to create a new user with limited RBAC rules in order to limit the impact this token may have on the cluster.

For further information on how to create custom users and roles in the official Kubernetes documentation.

Security

The next logical step might seem to be to expose this dashboard to the internet in order to be able to access it easily. But be aware that there are some security considerations that should be taken care of, and this can be dangerous if not put in place properly.
In order to keep things as secure as possible, please do not expose the Kubernetes dashboard publicly and use the kubectl proxy command as demonstrated above in the Accessing the Kubernetes Dashboard section.

References

• Official Kubernetes dashboard documentation https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

• Creating a simple user https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

• Helm chart for Kubernetes dashboard https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard