How do I access the Kubernetes Dashboard on a custom path in Amazon EKS?

Last updated: 2020-11-13

I want to access the Kubernetes Dashboard on a custom path in Amazon Elastic Kubernetes Service (Amazon EKS).

Short description

To access the Kubernetes Dashboard, you must complete the following:

  1. Create or use an existing self-signed certificate, and then upload the certificate to the AWS Certificate Manager (ACM).
  2. Deploy the NGINX Ingress Controller and expose it as a NodePort service.
  3. Create an Ingress object for the Application Load Balancer Ingress Controller that forwards all the requests from the Application Load Balancer to the NGINX Ingress Controller that you deploy using a manifest file.
  4. Deploy the Kubernetes Dashboard.
  5. Create an Ingress for the NGINX Ingress Controller.

Here's how the resolution works:

  1. The Application Load Balancer forwards all the incoming traffic to the NGINX Ingress Controller.
  2. The NGINX Ingress Controller evaluates the path-pattern of the incoming request (for example, /custom-path/additonalcustompath).
  3. The NGINX Ingress Controller rewrites the URL to /additonalcustompath before forwarding the request to the kubernetes-dashboard service.

Resolution

Create or use an existing self-signed certificate, and then upload the certificate to ACM

If you use an existing ACM certificate with the Application Load Balancer, then skip to the Deploy the NGINX Ingress Controller and expose it as a NodePort service section.

Note: The following steps apply to the Amazon Linux Amazon Machine Image (AMI) release 2018.03.

1.    Generate a private key using OpenSSL:

openssl genrsa 2048 > kube-dash-private.key

2.    Create a certificate using the key generated in step 1:

openssl req -new -x509 -nodes -sha1 -days 3650 -extensions v3_ca -key kube-dash-private.key > kube-dash-public.crt

Important: Provide a fully qualified domain for Common Name because the Application Load Balancer allows only ACM certificates with fully qualified domain names to be attached to the listener 443.

The output should look similar to the following:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) []:kube-dashboard.com         ==>This is important
Email Address []:

3.    Install the AWS Command Line Interface (AWS CLI) and set up the credentials.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

4.    Upload the private key and the certificate to the ACM in your AWS Region:

aws acm import-certificate --certificate file://kube-dash-public.crt --private-key file://kube-dash-private.key --region us-east-1

Note: Replace us-east-1 with your AWS Region.

The output looks similar to the following:

{
    "CertificateArn": "arn:aws:acm:us-east-1:your-account:certificate/your-certificate-id"
}

5.    Open the ACM console, and then verify that the domain name appears in your imported ACM certificate.

Tip: If the domain name doesn't appear in the ACM console, then recreate the certificate with a valid fully qualified domain name.

Deploy the NGINX Ingress Controller and expose it as a NodePort service

1.    Create the namespace ingress-nginx:

kubectl create ns ingress-nginx

2.    Install Helm version 3.

3.    Use Helm to deploy the NGINX Ingress Controller:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --set controller.service.type=NodePort

Create an Ingress object for the Application Load Balancer Ingress Controller

You must create an Ingress object that forwards all the requests from the Application Load Balancer Ingress Controller to the NGINX Ingress Controller that you deployed earlier using a manifest file.

1.    Deploy the Application Load Balancer Ingress Controller.

2.    Create an Ingress object for the Application Load Balancer Ingress Controller based on the following alb-ingress.yaml file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "alb-ingress"
  namespace: "ingress-nginx"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:your-region:your-account-id:certificate/XXXX-XXXX-XXXX-XXXX-XXXXX
    alb.ingress.kubernetes.io/healthcheck-path: /dashboard/
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
  labels:
    app: dashboard
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: "nginx-ingress-nginx-controller"
              servicePort: 80

Note: Replace alb.ingress.kubernetes.io/certificate-arn with the Amazon Resource Name (ARN) of your ACM certificate.

The preceding manifest file uses the following annotations:

The "alb.ingress.kubernetes.io/scheme" annotation creates an internet-facing Application Load Balancer.
The "alb.ingress.kubernetes.io/certificate-arn" annotation associates the ARN of your ACM certificate with the 443 listener of the Application Load Balancer.
The "alb.ingress.kubernetes.io/listen-ports" annotation creates the listeners for ports 80 and 443.
The "alb.ingress.kubernetes.io/actions.ssl-redirect" annotation redirects all the requests coming to ports 80 to 443.
The "alb.ingress.kubernetes.io/healthcheck-path" annotation sets the health check path to /dashboard/.

3.    Apply the manifest file from the preceding step 2:

kubectl apply -f alb-ingress.yaml

Deploy the Kubernetes Dashboard

To deploy the Kubernetes Dashboard, see Tutorial: Deploy the Kubernetes Dashboard (web UI).

Create an Ingress for the NGINX Ingress Controller

1.    Create an Ingress for the NGINX Ingress Controller based on the following ingress-dashboard.yaml file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite ^(/dashboard)$ $1/ redirect;
  namespace: kubernetes-dashboard
spec:
  rules:
  - http:
      paths:
      - path: /dashboard(/|$)(.*)
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

Note: The "nginx.ingress.kubernetes.io/rewrite-target" annotation rewrites the URL before forwarding the request to the backend pods. In /dashboard(/|$)(.*) for path, (.*) stores the dynamic URL that's generated while accessing the Kubernetes Dashboard. The "nginx.ingress.kubernetes.io/rewrite-target" annotation replaces the captured data in the URL before forwarding the request to the kubernetes-dashboard service. The "nginx.ingress.kubernetes.io/configuration-snippet" annotation rewrites the URL to add a trailing slash ("/") only if ALB-URL/dashboard is accessed.

2.    Apply the manifest file ingress-dashboard.yaml:

kubectl apply -f ingress-dashboard.yaml

3.    Check the Application Load Balancer URL in the ADDRESS of the alb-ingress that you created earlier:

kubectl get ingress alb-ingress -n ingress-nginx

You can now access the Kubernetes Dashboard using ALB-URL/dashboard/. If you access ALB-URL/dashboard, then a trailing slash ("/") is automatically added to the URL.

Clean up the resources that you created earlier

1.    Delete the ingress for the NGINX Ingress Controller:

helm uninstall nginx -n ingress-nginx

2.    Delete the Kubernetes Dashboard components and the Metrics Server:

kubectl delete -f eks-admin-service-account.yaml
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
kubectl delete -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml>

3.    Delete the alb-ingress:

kubectl delete -f alb-ingress.yaml

Note: If you created AWS Identity and Access Management (IAM) resources, then you can delete the IAM role and IAM policy.

4.    Delete the ingress-nginx namespace:

kubectl delete ns ingress-nginx

5.    To delete the ACM certificate you created, run the following command:

aws acm delete-certificate --certificate-arn arn:aws:acm:us-east-1:your-account-id:certificate/XXXX-XXXX-XXXX-XXXX-XXXXX --region us-east-1

Note: Replace certificate-arn with your certificate ARN. Replace us-east-1 with your AWS Region. Replace your-account-id with your account ID.


Did this article help?


Do you need billing or technical support?