Kubernetes is a popular cluster and container management/orchestration platform widely used in pulic and private clouds. Kubernetes Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources.
SocketXP TLS VPN
SocketXP TLS VPN solution (a lightweight VPN) provides secure remote access to private Kubernetes Clusters in your private cloud or public cloud. SocketXP also provides a secure public URL to access your local private applications including Kubernetes Dashboard.
SocketXP agent is available as a docker container in the SocketXP DockerHub Repository. Run the SocketXP Docker container as a standalone container (as explained in the below sections) in your Kubernetes cluster to setup remote access to your Kubernetes Dashboard.
Deploying the Dashboard UI:
Follow the instructions in the Kubernetes Open Source Project pageon how to deploy and setup the Dashboard UI in your Kubernetes Cluster.
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
As explained in the Kubernetes official documentation, you need to run the kubectl CLI utility in proxy mode to access your dashboard in a web browser.
Kubernetes Dashboard Login from Outside Network
What is the approach to access Kubernetes Dashboard login from outside network?
Overall Strategy
Here is the overall strategy to setup remote access to your Kubernetes Dashboard:
- Deploy SocketXP VPN agent Docker container in your K8 cluster.
- Install the kubectl CLI utility locally on your laptop.
- Setup the kubectl config file in your laptop with SocketXP Public URL, K8 SSL Certs, and Key.
- Remote access your private Kubernetes cluster from your laptop using the kubectl CLI utility.
- Run kubectl in proxy mode in your laptop.
- Access your Kubernetes dashboard in a web browser via the local kubectl proxy.
SocketXP Agent Docker Container Deployment:
First go to SocketXP Portal. Signup for a free account and get your authtoken there. Use the authtoken to create a Kubernetes secret as shown below.
kubectl create secret generic socketxp-credentials --from-literal=authtoken=[your-auth-token-goes-here]
Verify that the secret socketxp-credentials got created.
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-5skb7 kubernetes.io/service-account-token 3 4h
socketxp-credentials Opaque 1 4h
$
We'll use the below config.json file to configure the SocketXP agent Docker container. In this example, we are trying to create a secure public web URL and a TLS VPN tunnel to the Kubernetes API server.
$ cat config.json
{
"tunnel_enabled": true,
"tunnels" : [{
"destination": "https://kubernetes.default",
"protocol": "tls",
"custom_domain": "",
"subdomain": ""
}],
"relay_enabled": false,
}
Next create a Kubernetes configmap to store the above SocketXP agent configuration file.
kubectl create configmap socketxp-configmap --from-file=/home/test-user/config.json
Verify that the socketxp-configmap got created.
$ kubectl describe configmaps socketxp-configmap
Name: socketxp-configmap
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
config.json:
----
{ "tunnel_enabled": true, "tunnels" : [{ "destination": "https://kubernetes.default", "protocol": "tls", "custom_domain": "", "subdomain": "" }], "relay_enabled": false }
Events: <none>
Now that we have created the authtoken secret and the configmap needed by the SocketXP agent, it's time to launch the SocketXP Docker container expresssocket/socketxp:latest as a Kubernetes Deployment.
Here is the deployment.yaml file we'll use to create a standalone SocketXP agent deployment.
$cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: socketxp
labels:
app: socketxp
spec:
replicas: 1
selector:
matchLabels:
app: socketxp
template:
metadata:
labels:
app: socketxp
spec:
containers:
- name: socketxp
image: expresssocket/socketxp:latest
env:
- name: AUTHTOKEN
valueFrom:
secretKeyRef:
name: socketxp-credentials
key: authtoken
volumeMounts:
- name: config-volume
mountPath: /data
volumes:
- name: config-volume
configMap:
# Provide the name of the ConfigMap containing the files you want
#to add to the container
name: socketxp-configmap
Note:
We have created a separate volume named config-volume and mounted it under /data directory inside the container, so that the socketxp-configmap will be available as a config.json file under the /data directory in the running container.
Next, check if the pods are created from the deployment and running.
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
socketxp-75cb4dd7c9-bhxfp 1/1 Running 0 4s
$
Now you can retrieve the SocketXP Public URL created for your Kubernetes API server from the SocketXP Portal Page at: https://portal.socketxp.com/#/tunnels (or) from the pod logs as shown below.
$ kubectl logs socketxp-75cb4dd7c9-bhxfp
...
...
Login Succeeded.
User [] Email [test-user@gmail.com].
Connected.
Public URL -> https://test-user-fn4mda420.socketxp.com
You can now use the above SocketXP Public URL to access the Kubernetes Cluster's API server remotely using a kubectl utility.
Local kubectl installation
Install the kubectl CLI utility locally on your laptop to remote access your Kubernetes cluster. Follow the instructions here to download and install kubectl on your laptop:
https://kubernetes.io/docs/tasks/tools/install-kubectl/(opens new window)
After you have installed the kubectl CLI utility, overwrite the kubectl config file located at $HOME/.kube/config in your laptop with the one from your cluster's master node($HOME/.kube/config).
Next, update the API server URL in your kubectl config file to use the SocketXP Public URL https://test-user-fn4mda420.socketxp.com, as shown below.
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/test-user/.minikube/ca.crt
server: https://test-user-fn4mda420.socketxp.com
name: minikube
contexts:
- context:
cluster: minikube
user: minikube
name: minikube
...
...
Please ensure that you also copy the client certificate, CA certificate and private key files or authtoken from your Kubernetes cluster's master node to your laptop in the appropriate folder as specified in the kubectl config file.
Verify that the config works fine, using the following command:
kubectl config view
Now remote access or remote manage your private Kubernetes Cluster from your laptop by executing any kubectl command locally:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
socketxp-75cb4dd7c9-bhxfp 1/1 Running 0 1h
Note:
When you create more than one replica of the SocketXP agent pod using the deployment, each pod would be assigned a unique SocketXP Public URL. This is because each SocketXP agent pod running in the Kubernetes Cluster will fetch a new Public URL from the SocketXP Cloud Gateway.
Run kubectl in proxy mode
To remote access your Kubernetes Dashboard, run the kubectl CLI utility in proxy mode in your laptop as shown below:
$ kubectl proxy
Starting to serve on 127.0.0.1:8001
Let this command continue to run in the foreground.
Remote access Kubernetes Dashboard:
Now you can remote access your Kubernetes Dashboard from your laptop using the following local URL via the kubectl proxy. Kubectl will make Dashboard available at:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ (opens new window).
Now you can view or manage your k8 resources.
Note: This article was originally published at: https://www.socketxp.com/iot
Top comments (0)