Access Using Kubernetes Dashboard

KubeRaya clusters come with the Kubernetes Dashboard pre-installed by default.

This means you do not need to install or deploy the dashboard manually.

Your task as a user is only to access it securely and authenticate using a bearer token, as required by Kubernetes.

This guide explains how to access the Kubernetes Dashboard UI, generate a login token, and understand the security model behind it.

Important Notes Before You Start

Before proceeding, it is important to understand how Kubernetes Dashboard works:

Kubernetes Dashboard only supports Bearer Token authentication
Username/password login is not supported
Dashboard access is intentionally not exposed publicly
Access is typically done via kubectl port-forward

These behaviors are by design and enforced by Kubernetes itself.

📄 Official Kubernetes documentation:
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui

Prerequisites

Make sure you have:

A running KubeRaya cluster
kubeconfig access to the cluster
kubectl installed on your local machine
Network access to the cluster API (VPN or direct access, depending on setup)

📄 See: Access Using kubeconfig

Step 1: Verify Kubernetes Dashboard Is Running

The Kubernetes Dashboard is installed automatically when a KubeRaya cluster is created.

To verify that the dashboard is running:

kubectl get pods -n kubernetes-dashboard

You should see pods such as:

kubernetes-dashboard
dashboard-metrics-scraper
kubernetes-dashboard-kong-proxy

If the pods are in Running state, the dashboard is ready.

Step 2: Access the Dashboard Using Port Forwarding

Kubernetes Dashboard is not exposed via a public IP.

Access is performed securely using kubectl port-forward.

Run the following command:

kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443

Expected behavior:

kubectl establishes a local tunnel
Dashboard becomes accessible on your local machine only

Open your browser and visit:

https://localhost:8443

You may see a browser warning due to a self-signed certificate. This is normal.

⚠️

The Dashboard UI is accessible only from the machine where the command is executed.

Kubernetes Dashboard requires a Bearer Token for authentication.

Create an Admin Service Account (Recommended for Testing / Admin Use)

Create a service account:

kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard

Bind it to the cluster-admin role:

kubectl create clusterrolebinding dashboard-admin \
  --clusterrole=cluster-admin \
  --serviceaccount=kubernetes-dashboard:dashboard-admin

⚠️

This grants full administrative access. Use for administrative or learning purposes only.

Step 4: Retrieve the Bearer Token

Get the token associated with the service account:

kubectl -n kubernetes-dashboard create token dashboard-admin

Copy the generated token.

Step 5: Log In to the Dashboard

Open the Dashboard UI in your browser:
```
https://localhost:8443
```
Select Token authentication
Paste the bearer token
Click Sign In

You should now have access to the Kubernetes Dashboard.

Understanding the Security Model

Kubernetes Dashboard follows a minimal-access-by-default security model.

Key points:

No anonymous access
No password-based login
RBAC enforced strictly
Dashboard does not bypass Kubernetes permissions

What you can see and do in the dashboard depends entirely on:

The service account used
RBAC roles and bindings

Best Practices for Dashboard Access

Use Dashboard primarily for:
- Visualization
- Troubleshooting
- Learning and inspection
Avoid using Dashboard as the primary management interface
Prefer kubectl and GitOps workflows for production
Restrict admin tokens and rotate them if exposed
Never expose the Dashboard publicly