A customizable dashboard for Kubernetes
LiqoDash is a general purpose, dynamic and fully customizable dashboard for Kubernetes. It let you create your own views, and fully customize your resources.
- Visualize: View your components, resources and shared applications with a user-friendly, easy to explore UI.
- Manage: Every Kubernetes resources, can be added, modified or deleted in your cluster directly from the dashboard.
- No more YAML: With the implementation of a fully dynamic form generator, you can create (or update) your resources without the need of writing YAML manifests (still, that option is available)
- Dynamic Dashboard: LiqoDash meets the need for a generic user to have under control only what is necessary, offering the possibility to easily create dynamic views directly accessible in the dashboard, with just the components they need to monitor.
- Customize: LiqoDash offers a simple way to customize the representation of resources, letting the user choose what parameters to see first.
- Authentication: The access to you cluster is secure and managed in two ways: through an OIDC provider (e.g keycloak) or with a secret token generated in your cluster.
- Real time event responsiveness: If a resource or component gets updated the dashboard will be automatically updated without the need to refresh the page.
LiqoDash can be installed using Helm, executing the following commands:
# Clone the dashboard repository
git clone https://github.com/liqotech/dashboard
# Install the dashboard
helm install liqo-dashboard ./dashboard/kubernetes/dashboard_chart --namespace <NAMESPACE> --set version=<VERSION> --set ingress=<INGRESS_HOSTNAME>
- If no namespace is defined, the dashboard will be installed in the
defaultnamespace. - If no version is defined, the version of the dashboard will be
latest. - If no ingress is defined, the ingress will not be installed.
NOTE: from now on, all the commands refer to a dashboard installed in the default namespace.
In order to access the dashboard you need to first get the port on which LiqoDash is exposed, which can be done with the following command:
kubectl describe service liqo-dashboard | grep NodePort
Which will output:
Type: NodePort
NodePort: https 32421/TCP
In this case, the dashboard has been exposed to the port 32421
Now, you can access LiqoDash using your master node IP and the service port you just found: https://<MASTER_IP>:<Liqo*Dash*_PORT>
NOTE: to get your master node IP, you can run kubectl get nodes -o wide | grep master, and take the
INTERNAL-IP
A simple way to access the dashboard with a simpler URL than the one specified above is to use kubectl port-forward.
kubectl port-forward service/liqo-dashboard 6443:443
To access LiqoDash you can go to:
https://localhost:6443
NOTE: The PORT exposed with the port forward, that in the example is 6443, can be any PORT that is not already used.
LiqoDash can also be exposed using an Ingress. You must have an Ingress controller for an Ingress resource to work. If you have one, you can specify the desired host name during the installation like this:
helm install liqo-dashboard ./dashboard/kubernetes/dashboard_chart --set ingress=example.dashboard.com
Once installed, you can see that an Ingress resource is created:
kubectl get ingress
You can access the dashboard through the provided host name.
Using kubectl port-forward to access the dashboard service is usually meant for testing/debugging purposes. It is not a
long term solution, as it require to always run the port-forward and keep it active. However, if you just want to access
the dashboard via localhost, this is the easiest method.
Using a NodePort means that a specific port is opened on all the Nodes, and traffic sent to this port is forwarded to a service (in this case the dashboard). Using a NodePort has its downsides (only one service per port, only accepted ports are in the range 30000-32767...) and as such it is not recommended for production, but it is really convenient if you just want to test the dashboard, or you do not have the possibility to expose it through a Load Balancer.
Using Ingress is probably the best way to expose LiqoDash, especially if you want to access it through the internet. It can provide load balancing, SSL termination and name-based hosting, letting you access the dashboard using a host name instead of just its IP. Because there many types of Ingress controllers, each one with different capabilities, it may require some work to properly set up.
For security, LiqoDash requires a Token to log in. This token is stored within a secret, which is created by default during the installation, along with a service account and a cluster role binding.
To find the token to use to log in, run the following:
kubectl describe secret $(kubectl get secret | grep Liqo*Dash* | awk '{print $1}')
Which should print something like this:
Name: Liqo*Dash*-admin-sa-token-94v8x
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: Liqo*Dash*-admin-sa
kubernetes.io/service-account.uid: ad421b68-7ca5-4f2b-9022-454eb42f880d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Img0d3lBRjRGWTlYbndfcnZFeWNQR2VQX3dRVjhfXzBVLTdlTG95Tm9QMW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsaXFvIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImxpcW9kYXNoLWFkbWluLXNhLXRva2VuLTk0djh4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImxpcW9kYXNoLWFkbWluLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYWQ0MjFiNjgtN2NhNS00ZjJiLTkwMjItNDU0ZWI0MmY4ODBkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmxpcW86bGlxb2Rhc2gtYWRtaW4tc2EifQ.ZX4SgxepLjDWMYtvlWUfR3Qjzhf80Jq-17JzF7DSZVMJKvqgah0JIG9Ieqj6DBQr-0xxWnTW6hosNjcdf6pm62SbuiSMwyE3xS_j3dAmCQHx5umGbnTjp6GUaMu8JiFtajOpU7-9f06W5g4I44LF1-3FwgG3OY6vVdL6CypWfjumwgh_yLKE9h7tjKl8CiSfNuLVDWHL4l07W9fEeed8lNmFg4FlvOVHmFglTjz20VKEeu964pNlgK0MRGo_cVnDJyWl7cdeEmR0qfiPup5AMQLWUvlX9RTB7UTiRyw9YYZXPrsX5sdUMVuWb-G9ZQ8eABQI7BAs4uCouuoWmIDzag
Now, (1) copy the token, (2) paste it in the login screen, and (3) sign in.
NOTE: the LiqoDash Service Account has admin privileges. To find out more about permissions in Kubernetes read the official authentication and authorization documentation.
If you have an OIDC provider available in your cluster (such as Keycloak), you can use it to access the dashboard and bypass the standard login with the token. In order to bind the dashboard with you OIDC provider, you have to edit the dashboard configmap, which represents the structure that contains the Dashboard configuration. To do so, run the following command:
kubectl edit configmap liqo-dashboard-configmap
You should see a YAML representation of the configmap, such as the following:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
...
name: liqo-dashboard-configmap
namespace: default
resourceVersion: "012345"
selfLink: /api/v1/namespaces/default/configmaps/liqo-dashboard-configmap
uid: 0000000-993d-11e7-87e0-901b0e532516
data:
app_title: ""
app_favicon: ""
oidc_client_id: ""
oidc_client_secret: ""
oidc_provider_url: ""
oidc_redirect_uri: ""
kind: ConfigMap
Change the values under data regarding the OIDC settings and save the file.
Then, restart the dashboard:
kubectl rollout restart deployment liqo-dashboard
From now on, any attempt to login will be redirected to your OIDC provider for the authentication.
NOTE: you can always revert to the token login authentication by editing the configmap.
The LiqoDash documentation can be found in the docs directory which contains:
