Simplified Deployment of Kubernetes Dashboard with ALB Ingress Controller

Suraj Solanki
5 min readJul 31, 2023

Kubernetes Dashboard is a powerful web-based user interface that allows users to manage and monitor Kubernetes clusters. While the dashboard provides a user-friendly experience, exposing it securely and efficiently to users outside the cluster can be challenging. In this blog, we will explore how to deploy the Kubernetes Dashboard using an Application Load Balancer (ALB) Ingress Controller, providing a seamless and secure way to access the dashboard from the internet.

Prerequisites:

  1. A running Kubernetes cluster with kubectl configured to access the cluster.
  2. AWS CLI was installed and configured with appropriate permissions to create ALB resources.

Step 1: Install Kubernetes Dashboard

Before deploying the Kubernetes Dashboard, ensure that it is installed in your Kubernetes cluster. If not already installed, you can use the following kubectl command:

 kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

Step 2: Accessing Dashboard

We will create a new user using the Service Account mechanism of Kubernetes, grant this user admin permissions, and log in to Dashboard using a bearer token tied to this user

cat > service-role.yaml << EOF

apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin # name: view if read only user required
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
name: admin-user
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: "admin-user"
type: kubernetes.io/service-account-token

EOF

kubectl apply -f service-role.yaml

Step 3: Deploy ALB Ingress Controller

We need to deploy the ALB Ingress Controller to manage the incoming traffic and route it to the Kubernetes Dashboard service. Follow these steps to deploy the ALB Ingress Controller:

Step 1: Download the IAM policy for the ALB Ingress Controller:

curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json

Step 2: Create an IAM policy using AWS CLI:

aws iam create-policy policy-name AWSLoadBalancerControllerIAMPolicy policy-document file://iam_policy.json

Step 3: Retrieve OIDC ID and create an IAM role for the ALB Ingress Controller:

Step 1: 

oidc_id=$(aws eks describe-cluster - name my-cluster - query "cluster.identity.oidc.issuer" - output text | cut -d '/' -f 5)

Step 2:

aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

Step 3:

cat >load-balancer-role-trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/oidc.eks.region-code.amazonaws.com/id/<oidc-id>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.region-code.amazonaws.com/id/<oidc_id>:aud": "sts.amazonaws.com",
"oidc.eks.region-code.amazonaws.com/id/<oidc_id>:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
}
}
}
]
}
EOF

Step 4:

aws iam create-role \
--role-name AmazonEKSLoadBalancerControllerRole \
--assume-role-policy-document file://"load-balancer-role-trust-policy.json"

Step 5:

aws iam attach-role-policy \
--policy-arn arn:aws:iam::<account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
--role-name AmazonEKSLoadBalancerControllerRole

Step 4: Create a Kubernetes service account for the ALB Ingress Controller:

cat >aws-load-balancer-controller-service-account.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: aws-load-balancer-controller
name: aws-load-balancer-controller
namespace: kube-system
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/AmazonEKSLoadBalancerControllerRole
EOF


kubectl apply -f aws-load-balancer-controller-service-account.yaml

Step 5: Installing Helm Helm is a package manager for Kubernetes that simplifies application deployment.

$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
$ chmod 700 get_helm.sh
$ ./get_helm.sh

Step 6: Install AWS Load Balancer Controller using Helm V3:

Step 1:

helm repo add eks https://aws.github.io/eks-charts

Step 2:

helm repo update eks

Step 3:

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=<Cluster-Name> \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller

Verify that the controller is installed

kubectl get deployment -n kube-system aws-load-balancer-controller

Step 7: Deploy ALB Ingress Class: Create an ALB Ingress Class to manage Ingress resources for the AWS Load Balancer Controller.

cat > ALBIngressClass.yaml <<EOF

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: alb-aws-ingress-class
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: ingress.k8s.aws/alb

EOF

Kubectl apply -f ALBIngressClass.yaml

Step 8: Create ALB Ingress Resource for Kubernetes-dashboard: Create an ALB Ingress resource specifically for the Kubernetes Dashboard, defining the necessary annotations for ALB settings.

cat > dashboard-ingress.yaml <<EOF

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account-id>:certificate/<cert-unique-id>
alb.ingress.kubernetes.io/group.name: <lb-name>-group
alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
alb.ingress.kubernetes.io/healthcheck-port: traffic-port
alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "4"
alb.ingress.kubernetes.io/healthy-threshold-count: "2"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/load-balancer-name: <lb-name>
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/subnets: <subnet-id>,<subnet-id>
alb.ingress.kubernetes.io/success-codes: "200"
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
name: <ingress-name>
namespace: kubernetes-dashboard
spec:
ingressClassName: alb-aws-ingress-class
rules:
- host: subdomain.example.com
http:
paths:
- backend:
service:
name: kubernetes-dashboard
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- subdomain.example.com
secretName: kubernetes-dashboard-cert

EOF

kubectl apply -f dashboard-ingress.yaml

Step 9: Adding ALB’s DNS name to Route53:

To make the Kubernetes Dashboard accessible via a custom DNS name, add the ALB’s DNS name as a DNS record in Route 53.

Follow these steps in the AWS Management Console:

Go to AWS Management Console and open the Route53 console.

  1. Go to “Route53” and select the hosted zone where you want to add the DNS record for the ALB.
  2. Click on “Create Record Set.”
  3. Configure the following settings:
  • Name: Enter the desired subdomain or domain name for the ALB (e.g., “dashboard.example.com”).
  • Type: Choose “CNAME.”
  • Alias: Set this to “No.”
  • Value: Enter the ALB’s DNS name you retrieved earlier (e.g., “cluster-alb-<account-id>.us-west-2.elb.amazonaws.com”).
  • TTL (Seconds): Optionally, set the Time To Live (TTL) for the DNS record.

4. Click “Create” to add the DNS record.

After creating the DNS record, Once the changes have propagated, users can access the Kubernetes Dashboard using the custom DNS name you configured (e.g., “dashboard.example.com”) to securely manage and monitor the Kubernetes cluster.

Step 10: Accessing the Kubernetes Dashboard via DNS Name

Note: To access the Kubernetes dashboard, you need to obtain a valid token or kubeconfig to authenticate and access cluster resources securely.

To get a long-lived Bearer Token for the ServiceAccount, use the following command:

$ kubectl get secret admin-user -n kubernetes-dashboard -o jsonpath={".data.token"} | base64 -d

This command retrieves the Bearer Token associated with the “admin-user” ServiceAccount in the “Kubernetes-dashboard” namespace and decodes it using base64.

Click the Sign in button and that's it. You are now logged in as an admin.

Conclusion:

In this blog, we’ve learned how to deploy the Kubernetes Dashboard using an ALB Ingress Controller. By leveraging the ALB, we can securely expose the dashboard to the internet while ensuring efficient load balancing and routing of incoming traffic. Now you can easily manage and monitor your Kubernetes cluster using the user-friendly Kubernetes Dashboard.

Thanks for reading this far, and good luck. I appreciate your comments/feedback.

About The Author
Suraj Solanki
DevOps Engineer — II
LinkedIn: https://www.linkedin.com/in/suraj-solanki

--

--

Suraj Solanki

Senior DevOps Engineer and Fascinated to learn as well as talk about cloud and automation. You can always connect https://www.linkedin.com/in/suraj-solanki