Now Kubernetes dashboard uses the compatible version to the K8s clust…

…er - the version is therefore also templated. Also reworked RBAC dashboard Role & RoleBinding to ClusterRole and ClusterRoleBinding. Commented out the heapster resources. Granted dashboard administrative rights.

README.md

@@ -218,14 +218,28 @@ https://github.com/docker-library/busybox/issues/48
 https://github.com/kelseyhightower/kubernetes-the-hard-way/issues/356
 https://stackoverflow.com/a/52036125/4964553
 
-### Where did we stop? (on 22. Juni 2018)
 
-We´ve reached every step till:
+## Dashboard
 
-https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/13-smoke-test.md#services
+> First thing important: Kubernetes and Dashboard versions need to be compatible! See https://github.com/kubernetes/dashboard/wiki/Compatibility-matrix
 
-And the dashboard could´nt be accesses right away, only manually by Johannes with a port forwarding and tiller-deployment to retrieve the Token (key didn´t work).
+https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
+
+Installation: https://github.com/kubernetes/dashboard/wiki/Installation#recommended-setup (don´t use kubectl proxy!)
+
+Access: Through API-Server: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.6.X-and-below#api-server
+
+> In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: 
+
+```
+https://external.k8s:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
+```
+
+Grant Dashboard Admin-Rights: https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges
 
+> Make sure that you know what you are doing before proceeding. Granting admin privileges to Dashboard's Service Account might be a security risk.
+
+And the dashboard could´nt be accesses right away, only manually by Johannes with a port forwarding and tiller-deployment to retrieve the Token (key didn´t work).
 
 
 

group_vars/all.yml

@@ -2,6 +2,8 @@ ansible_python_interpreter: /usr/bin/python3
 
 kubernetes_version: v1.10.2
 etcd_version: v3.3.5
+# Kubernetes & Dashboard versions must be compatible! see https://github.com/kubernetes/dashboard/wiki/Compatibility-matrix
+kubernetes_dashboard_version: v1.10.0
 
 kubernetes_cluster_cidr: 10.200.0.0/16
 kubernetes_cluster_iprange: 10.32.0.0/24

roles/dashboard/tasks/main.yml

@@ -5,9 +5,13 @@
     state: directory
 
 - name: copy kubernetes-dashboard.yaml
-  copy:
+  template:
     src: kubernetes-dashboard.yaml
     dest: /opt/dashboard/kubernetes-dashboard.yaml
 
+- name: delete old dashboard Service, ServiceAccount, Deployment etc
+  shell: kubectl delete -f /opt/dashboard/kubernetes-dashboard.yaml
+  ignore_errors: true
+
 - name: apply dashboard Service, ServiceAccount, Deployment etc
   shell: kubectl apply -f /opt/dashboard/kubernetes-dashboard.yaml

roles/dashboard/files/kubernetes-dashboard.yaml → roles/dashboard/templates/kubernetes-dashboard.yaml

@@ -42,10 +42,10 @@ metadata:
 ---
 # ------------------- Dashboard Role & Role Binding ------------------- #
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kubernetes-dashboard-minimal
+  name: kubernetes-dashboard
   namespace: kube-system
 rules:
   # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
@@ -67,25 +67,26 @@ rules:
   resourceNames: ["kubernetes-dashboard-settings"]
   verbs: ["get", "update"]
   # Allow Dashboard to get metrics from heapster.
-- apiGroups: [""]
-  resources: ["services"]
-  resourceNames: ["heapster"]
-  verbs: ["proxy"]
-- apiGroups: [""]
-  resources: ["services/proxy"]
-  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
-  verbs: ["get"]
+#- apiGroups: [""]
+#  resources: ["services"]
+#  resourceNames: ["heapster"]
+#  verbs: ["proxy"]
+#- apiGroups: [""]
+#  resources: ["services/proxy"]
+#  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+#  verbs: ["get"]
 
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
 metadata:
-  name: kubernetes-dashboard-minimal
-  namespace: kube-system
+  name: kubernetes-dashboard
+  labels:
+    k8s-app: kubernetes-dashboard
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubernetes-dashboard-minimal
+  kind: ClusterRole
+  name: cluster-admin
 subjects:
 - kind: ServiceAccount
   name: kubernetes-dashboard
@@ -114,16 +115,16 @@ spec:
     spec:
       containers:
       - name: kubernetes-dashboard
-        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
+        image: k8s.gcr.io/kubernetes-dashboard-amd64:{{kubernetes_dashboard_version}}
         ports:
         - containerPort: 8443
           protocol: TCP
         args:
-          - --auto-generate-certificates
-          # Uncomment the following line to manually specify Kubernetes API server Host
-          # If not specified, Dashboard will attempt to auto discover the API server and connect
-          # to it. Uncomment only if the default does not work.
-          # - --apiserver-host=http://my-address:port
+        - --auto-generate-certificates
+        # Uncomment the following line to manually specify Kubernetes API server Host
+        # If not specified, Dashboard will attempt to auto discover the API server and connect
+        # to it. Uncomment only if the default does not work.
+        # - --apiserver-host=http://my-address:port
         volumeMounts:
         - name: kubernetes-dashboard-certs
           mountPath: /certs

roles/rbac/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: copy rbac-cluster-role.yaml
+- name: Copy ClusterRole and ClusterRoleBinding for kube-apiserver accessing kubelets
   copy:
     src: "{{ item }}"
     dest: /etc/kubernetes/config/
@@ -7,7 +7,7 @@
     - rbac-cluster-role-binding.yaml
   when: inventory_hostname == "master-0"
 
-- name: apply rbac
+- name: Apply ClusterRole and ClusterRoleBinding for kube-apiserver accessing kubelets
   shell: "kubectl apply --kubeconfig /vagrant/configurationfiles/admin.kubeconfig -f {{ item }}"
   with_items:
     - /etc/kubernetes/config/rbac-cluster-role.yaml