Exposing Kubernetes Dashboard with Istio Ingress

kubernetes-dashboard is the first app that I install on a Kubernetes cluster and use on my clusters all the time.

On a cluster with Istio Service Mesh, we can expose services using Istio Ingress Gateway.

Using the following Gateway and VirtualService definitions you can expose your dashboard on Istio Ingress Gateway.

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dashboard-gateway
  namespace: kubernetes-dashboard
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - dashboard.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  hosts:
  - dashboard.example.com
  gateways:
  - dashboard-gateway
  http:
  tls:
  - match:
    - port: 443
      sniHosts:
      - dashboard.example.com
    route:
    - destination:
        host: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
        port:
          number: 443

This definitions will expose your dashboard from the Istio ingress host and port using the dashboard.example.com DNS. You can use Istio documentation for determining IP and port for the ingress gateway.

I found a similar article about exposing dashboard using Istio ingress that works to some point but it required editing kubernetes-dashboard and making it insecure to access and use.

This basic method doesn’t require any modification on the kubernetes-dashboard installation, since it uses TLS passthrough. However, because of the TLS passthrough certificate errors are seen on browsers.

Test

Test the ingress with the following curl command.

curl -k -v --resolve "dashboard.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" "https://dashboard.example.com:$SECURE_INGRESS_PORT"

References