How do I set up a Kubernetes dashboard on an Amazon EKS cluster?

Last updated: 2019-07-17

How do I set up a Kubernetes dashboard on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster?

Short Description

Heapster, the deprecated metrics provider, is required for setting up a Kubernetes dashboard. Because Heapster is deprecated, the read-only port (10255) of the kubelet in the Amazon EKS-Optimized AMI (starting with version 1.10.11) is disabled. This disabled port generates an error in the Heapster logs that says "dial tcp x.x.x.x:10255:getsockopt: connection refused." This error means that you can't see CPU and memory metrics when you access the Kubernetes dashboard.

Resolution

Set up your environment

Note: If necessary, connect to your Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. The syntax in the code examples below applies to Linux servers.

1.    Install kubectl and aws-iam-authenticator.

2.    To configure your kubeconfig file to point to the Amazon EKS control plane, run the following command:

$ aws eks update-kubeconfig --name EKS_ClusterName

Note: Replace EKS_ClusterName with your EKS cluster name. For additional information on configuring your kubeconfig file, see update-kubeconfig.

3.    To verify that worker nodes are running in your environment, run the following command:

$ kubectl get nodes

4.    To verify that the Kubernetes service is running in your environment, run the following command:

$ kubectl get svc

Create a Kubernetes dashboard

1.    To create a Kubernetes dashboard, run the following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

2.    To make metrics and graphs available on your dashboard with Heapster, run the following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml

Important: To get Heapster to collect CPU and memory metrics that will appear on the Kubernetes dashboard, you can use the amazon-eks-nodegroup template for AWS CloudFormation to provision your EKS worker nodes. To avoid the error from the Short Description section, enable the read-only port (10255) on your Amazon EKS-Optimized AMI in your AWS CloudFormation template. Also, set the BootstrapArguments parameter to --kubelet-extra-args '--read-only-port=10255' when you create your EKS worker nodes.

3.    To create a deployment and service, run the following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml

4.    To create a cluster role binding for the dashboard, run the following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml

5.    To create a new service account with cluster admin privileges, run the following command:

cat > eks-admin-service-account.yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: eks-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: eks-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: eks-admin
  namespace: kube-system
EOF

6.    To verify that a manifest file was created in the previous step, run the following command:

$ cat eks-admin-service-account.yaml

7.    To bind eks-admin to the cluster role binding, run the following command:

$ kubectl apply -f eks-admin-service-account.yaml

8.    To forward all requests from your Amazon EC2 instance localhost port to the Kubernetes dashboard port, run the following command:

$ kubectl port-forward svc/kubernetes-dashboard -n kube-system 6443:443

9.    To access the port from your local machine with an SSH tunnel, run the following command:

ssh -i EC2KeyPair.pem ec2-user@IP -L 6443:127.0.0.1:6443

Note: Replace EC2KeyPair.pem with your key pair.

Access the Kubernetes dashboard in a browser

1.    To access your Kubernetes dashboard in a browser, enter https://127.0.0.1:6443.

The Kubernetes dashboard loads in the browser and prompts you for input.

2.    To get a bearer token for authentication, return to the command line, and run the following command:

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')

3.    Copy the token from the command line output.

4.    In your browser, in the Kubernetes Dashboard pop-up window, choose Token.

5.    Paste the token from the output into the Enter token box, and then choose SIGN-IN.

You now have access to the Kubernetes dashboard in your browser.


Did this article help you?

Anything we could improve?


Need more help?