Expose createDashboard

[kennyjwilli]

It would be useful to have the createDashboard (link) function exposed in the public API. Specifically, if you follow this example, there is no way to create the dashboard. This is because if you set deployDashboard: true with skipDefaultNodeGroup: true, there will be no Node groups for the dashboard to be deployed to. Exposing the createDashboard function would solve this.

[metral]

Dupe of pulumi/pulumi-kubernetes#578:

Repro from linked issue:

The below code will fail to deploy with the follow error.

const cluster = new eks.Cluster(`k8s-cluster`, {
    vpcId: vpc.id,
    subnetIds: vpc.publicSubnetIds,
    deployDashboard: false
});
const k8sProvider = cluster.provider;

const k8sDashboardChart = new k8s.helm.v2.Chart("kubernetes-dashboard", {
    repo: "stable",
    chart: "kubernetes-dashboard",
    version: "1.5.2",
    namespace: "kube-system"
}, {providers: {kubernetes: k8sProvider}});

error:

  kubernetes:core:Service (kubernetes-dashboard):
    error: Plan apply failed: 2 errors occurred:
    	* Timeout occurred for 'kubernetes-dashboard'
    	* Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

[metral]

Per this thread, we're considering deprecating the ability to create a k8s dashboard all-together from the Cluster class given:

• its known lack of support in the community,
• proneness to security issues,
• and the dashboard's dependency on heapster - which has been deprecated and is not being updated to the metrics server.

If you wish to install the dashboard, the Helm chart is probably your best bet. That said, your error above does not provide much insight into the root cause as to why it is not deploying, only that the Service object can't find any Pods - and this could be for any set of reasons. If you have any more info to provide to diagnose the issue, that would help.

Thanks

[kennyjwilli]

The dashboard has been quite helpful in getting an immediate, visual overview of my cluster. It's unfortunate to hear the community is not supporting it. Is there an alternative people are using?

I have tried deploying the dashboard via a helm chart but that does not work (see pulumi/pulumi-kubernetes#578).

[metral]

Is there an alternative people are using?

Unfortunately, no - kube-dashboard was created for this purpose, but it just hasn't gotten the continued community support it needs to keep up with the changes in k8s.

I have tried deploying the dashboard via a helm chart but that does not work

I'll try to repro this on my end, but the issue in deploying the Helm chart is independent of the EKS cluster not having it deployed (we simply just don't deploy it for you when its false). The error states that the Service is not finding Pods, but this could be something wrong in the helm chart or some other related issue. Do you have any additional details that would help diagnose this?

[kennyjwilli]

Do you have a link mentioning that the kube-dashboard is not getting support? The dashboard repo has lots of recent commits. Further, looks like the issue you linked "not being updated" has been closed because a PR to support metrics-server has been merged. IMO, this does not imply the project is deprecated. Perhaps I am missing some key information?

Here is the full Pulumi index.ts file I used: https://gist.github.com/kennyjwilli/662ae731bd6cb102d1ca6310a36f93f6. Running pulumi up results in:

Diagnostics:
  pulumi:pulumi:Stack (k8s-dash-helm-test1):
    error: unable to recognize "/tmp/tmp-156309EqJJwsTsn3F.tmp": Get https://974060F7C491C20DF0FE9B01FE8F1825.yl4.us-west-2.eks.amazonaws.com/api?timeout=32s: dial tcp 52.43.93.62:443: i/o timeout
 
    error: update failed
 
  pulumi-nodejs:dynamic:Resource (k8s-cluster-vpc-cni):
    error: Plan apply failed: Command failed: kubectl apply -f /tmp/tmp-156309EqJJwsTsn3F.tmp
    error: unable to recognize "/tmp/tmp-156309EqJJwsTsn3F.tmp": Get https://974060F7C491C20DF0FE9B01FE8F1825.yl4.us-west-2.eks.amazonaws.com/api?timeout=32s: dial tcp 52.43.93.62:443: i/o timeout
 
  kubernetes:extensions:Deployment (kubernetes-dashboard):
    error: Plan apply failed: 2 errors occurred:
    	* Timeout occurred for 'kubernetes-dashboard'
    	* Minimum number of Pods to consider the application live was not attained
 
  kubernetes:core:Service (kubernetes-dashboard):
    error: Plan apply failed: 2 errors occurred:
    	* Timeout occurred for 'kubernetes-dashboard'
    	* Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

[metral]

Ah, I had not seen kubernetes/dashboard#3504 make it in, thanks for the link - it seems like things here are still relatively new & untested.

Thank you for the full repro, i'll check it out.

Perhaps I am missing some key information?

Don't get me wrong, the dashboard certainly has value. The context here is more around:

• the general support over the years for the dashboard has always trailed compared to the rest of the k8s projects, especially after Google stopped contributing to it and deprecated it on its own clusters in favor of their UI. it is mostly community driven at this point.
• it being an add-on that doesn't get widely deployed or used in prod due to folks either relying on provider dashboards if they exist (e.g. GKE has their own, but EKS has not contributed here),
• not needing the dashboard in prod clusters since CI/CD is what ultimately communicates w/ these clusters
• the default mode of operation primarily being kubectl for devs & ops, or client-go for more programmatic usage (this is what pulumi/kubernetes is built on)
• or more often, its misconfigurations opening wide security holes: [1] & [2]

That said, I recognize that some of this or none of it applies to all users, and that some will still want to use the dashboard. For those users, the helm chart is the recommended path here since we are considering deprecating it from the native pulumi/eks package. I'll check out your repro and see what we can make of it 👍.

[lblackstone]

I was able to deploy the dashboard chart successfully by unsetting the namespace argument. pulumi/pulumi-kubernetes#578 (comment)

[kennyjwilli]

@metral If the Helm Chart is going to be the recommended way to deploy the k8s dashboard, I suggest including an example of deploying the chart in a secure way. Further, ensuring the example will work. I have tried deploying the dashboard from a helm chart and a fresh stack and still can't get it to work pulumi/pulumi-kubernetes#578 (comment).

In general, deploying dashboard as a helm chart makes more sense given it is provider agnostic.

[metral]

@kennyjwilli I've gone ahead and opened pulumi/pulumi-kubernetes#600 to track how to deploy the kube-dashboard Helm chart.

I also commented here, to point out that you were missing a role in your Cluster that could be causing you to not have nodes available, and furthermore, not install the helm chart per the error messages of no available nodes being returned. Check it out and let us know where you land.

[metral]

Closing this out as we've split work items into 2 new issues:

• Include an example of deploying the kube-dashboard Helm chart pulumi-kubernetes#600 - to track how to deploy the kube-dashboard helm chart, and
• Adding in a missing role to a cluster, after its already up with a NodeGroup with the associated instanceProfile, does not properly update #174 - to track how to update a cluster that does not have an instanceRole set, but its NodeGroups do have the associated instanceProfile for the role.