Unlike running Docker containers with ports bound to a host port, Kubernetes does not expose container ports or assign them an IP address. Kubernetes has a
service resource that exposes ports in a POD to a named endpoint and port.
A service provides a predictable way to access containers via the internal cluster network. The container will only be reachable from within the cluster through the service.
In the last post, we used
m8s dashboard-proxy to make the
kubernetes-dashboard service accessible outside the cluster.
To see the manifest of the
kubernetes-dashboard service, issue the following:
k8s get service -n kube-system kubernetes-dashboard -o yaml
Note: The service binds the
portfor this named service to the
targetPorton the Pod.
To display the manifest for the dashboard pod, issue the command:
k8s describe pod -n kube-system kubernetes-dashboard
Look for the
ports collection inside the container spec for
kubernetes-dashboard to see the port setting
Kubernetes' DNS provides service discovery, a valuable feature when containers can disappear or get added, resulting in a shifting set of IP addresses.
To add DNS, type:
m8s enable dns
For safety, the dashboard is secure by default and allows HTTPS only through a certificate it creates. I want to demonstrate how to host the dashboard through the ingress controller through port 80. In a future post, we'll secure this with SSL termination on the ingress controller.
The dashboard will require changes to host HTTP traffic and updating the service to bind to a different target port.
To fetch the current deployment manifest for the dashboard, use the following:
k8s get deployment -n kube-system kubernetes-dashboard -o yaml > dashboard-deployment.yml
Open your favorite editor and follow each set of directions.
--enable-insecure-login to forgo generating self-signed certificates and bind the dashboard process to port
We need to change the port the container will expose to
8443 under the
Edit the liveness probe section by changing the
httpGet's port to
9090 and the
Save the changes you made to the file and apply our changes to the deployment; issue the following:
k8s apply -f ./dashboard-deployment.yml
Now that our dashboard deployment is bound to port 9090, we need to update our service. To fetch the service manifest, type:
k8s get service -n kube-system kubernetes-dashboard -o yaml > dashboard-service.yml
We'll change the
Save your changes and update the service as we did with the deployment with the following:
k8s apply -f ./dashboard-service.yml
An Ingress Controller is how Kubernetes accepts incoming HTTP requests through a fixed set of IPs and directs them to the correct backing Pods/Containers based on configuration.
To install the NGINX Ingress Controller from Kubernetes, we can enable the add-on as follows:
microk8s enable ingress
Save the following YAML for the manifest in a file
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: http-ingress namespace: kube-system annotations: nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 spec: rules: - http: paths: - path: /dash(/|$)(.*) pathType: Prefix backend: service: name: kubernetes-dashboard port: number: 80
From your shell, the following command will cause the ingress controller to update the NGINX configuration.
k8s create -f ./http-dashboard-ingress.yml
The new NGINX configuration forwards all requests to port 80 to the dashboard container.
To access the dashboard, we'll need the IP address of the cluster. The endpoint slice named
kubernetes should resolve to the Ingress controller. Fetch the list of endpoint slices with the following:
k8s get endpointslices
The dashboard should now be accessible via port 80 at the URL
/dash/. The dashboard should display a notification in red at the bottom notifying you that authentication is disabled since you're accessing it via an unsecured (HTTP) connection through an IP other than
The proxy built into microk8s is not compatible with the changes made to the dashboard deployment. The
port-forward feature in Kubernetes creates a tunnel from a specified resource to the localhost.
k8s -n ingress port-forward service/ingress 8008:80
Now the dashboard can be accessed
http://localhost:8008/dash/ and will accept authentication.
In the next post, I'll look at options for SSL termination.