Skip to content

MKE 4k Dashboard#

The MKE 4k Dashboard add-on provides a web UI that you can use to manage Kubernetes resources:

Access the MKE 4k Dashboard#

As the MKE 4k Dashboard is enabled by default, you can access it easily by navigating to the address of the load balancer endpoint from a freshly installed cluster.

Important

Verify that the external address for MKE 4k is set in the apiServer.externalAddress field of the mke4.yaml configuration file. The external address is the domain name of the load balancer configured as described in System Requirements: Load balancer .

Use the MKE 4k Dashboard with authentication services#

Users of the OIDC, SAML, and LDAP authorization services must deploy additional ClusterRoleBindings to use the MKE 4k Dashboard.

To create additional ClusterRoleBindings:

  1. Develop a clusterrole.yaml file to create a ClusterRole that grants the minimum set of permissions that users need to access the parts of the MKE UI that rely on Kubernetes RBAC. The ClusterRole you create will provide read-only visibility into cluster nodes and expose Prometheus metrics through the Kubernetes service proxy.

    Example clusterrole.yaml file, with comments: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mke-viewer-role
rules:

# Allow Prometheus queries (non-resource).
- nonResourceURLs:
    - "/prometheus/*"
  verbs: ["get"]

# Allow nodes visibility.
- apiGroups: [""]
  resources:
    - nodes
    - nodes/status
  verbs: ["get", "list", "watch"]

# Allow access to service proxy (required for Prometheus service)
- apiGroups: [""]
  resources:
    - services/proxy
    - services
  verbs: ["get", "list", "watch"]

    Info

    The ClusterRole is intentionally read-only by intention, and it does not grant any workload creation or modification capabilities.

  2. Apply the clusterrole.yaml file to create the ClusterRole:

    kubectl apply -f clusterrole.yaml

  3. Develop a clusterrolebinding.yaml file that attaches the mke-viewer-role ClusterRole to the authenticated users.

    Example clusterrolebinding.yaml file:

    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mke-viewer
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mke-viewer-role

  4. Apply the clusterrolebinding.yaml file to create the ClusterRoleBinding:

    kubectl apply -f clusterrolebinding.yaml