K3S: Traefik Dashboard activation

k3s, k3OS, and k3d
1

Very new to the Kubernetes world I just installed K3S. All good and running.
As I see, Traefik was already installed. Got my first Ingress rule running.

But for hours I am not able to figure out, what steps need to be done to get the Traefik Dashboard running. Too many different guidelines that might not fit here.

with

kubectl -n kube-system edit configmap traefik

I found the configuration file and after “traefik.toml:” I added “dashboard = true

Is this the correct location? What else needs to be done? Do I need to set Ingress rule? Kind of some “steps needed” guide would be great.

Thanks,
Wolfram

2

I usually edit the Helm chart directly on the master by SSH-ing into it as user rancher:

sudo vi /var/lib/rancher/k3s/server/manifests/traefik.yaml

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
  set:
    rbac.enabled: "true"
    ssl.enabled: "true"
    metrics.prometheus.enabled: "true"
    kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
    image: "rancher/library-traefik"
    dashboard.enabled: "true"             # <-- add this line
    dashboard.domain: "traefik.internal"  # <-- and this one with a resolvable DNS name

Helm will pick up the changes automagically and the dashboard will be available under http://traefik.internal/dashboard/.
Keep in mind that after a reboot of the master the file will be restored without the added lines.

1 Like
3

Thanks, got it running.

4

Hello,

Do you know how to keep this change persistent ?

Best regards

5

I did it the different way and did not use Rancher Traefik manifests at all. Regular Traefik installation into Kubernetes. This will survive reboot, BUT (in my case) only accessible via localhost (ssh tunnel to local machine). This works for me well enough.
Wolfram

6

@hbokh editing the traefik.yaml file didn’t work for me. I manually started the k3s server using the “–disable traefik” flag and deployed your yaml above and still no luck. Anything else I could try?

7

It worked for me. After adding dashboard enabled:true, you can use kubectl apply -f /var/lib/rancher/k3s/server/manifests/traefik.yaml to get the dashboard up n running

image
image1166×560 210 KB

8

Thank you @Kunchala_Vikram it just worked for me without adding the “dashboard.domain” line.

9

This is what I’ve done to make change persistant.
Edited/creted a config.yaml file under /var/lib/rancher/k3os/ folder like this:

k3os-13082 [~]$ sudo cat /var/lib/rancher/k3os/config.yaml
k3os:
k3s_args:

  • “server”
  • “–no-deploy=traefik”
    write_files:
  • encoding: “”
    content: |
    apiVersion: helm.cattle.io/v1
    kind: HelmChart
    metadata:
    name: traefik
    namespace: kube-system
    spec:
    chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
    set:
    rbac.enabled: “true”
    ssl.enabled: “true”
    metrics.prometheus.enabled: “true”
    kubernetes.ingressEndpoint.useDefaultPublishedService: “true”
    image: “rancher/library-traefik”
    dashboard.enabled: “true”
    dashboard.domain: “YOUR_WANTED_DOMAIN”
    owner: root
    path: /var/lib/rancher/k3s/server/manifests/traefik.yaml
    permissions: ‘0600’

This make the change consistant after the reboot.

10

That’s handy! But hardly readable. I’ve put it in between ```yaml <config> ```: :innocent:

k3os:
  k3s_args:
    - server
    - "--no-deploy=traefik"
  write_files:
  - encoding: ""
    content: |-
      apiVersion: helm.cattle.io/v1
      kind: HelmChart
      metadata:
        name: traefik
        namespace: kube-system
      spec:
        chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
        set:
          rbac.enabled: "true"
          ssl.enabled: "true"
          metrics.prometheus.enabled: "true"
          kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
          image: "rancher/library-traefik"
          dashboard.enabled: "true"
          dashboard.domain: "YOUR_WANTED_DOMAIN"
  owner: root
  path: /var/lib/rancher/k3s/server/manifests/traefik.yaml
  permissions: '0600'
11

Help? I’m not sure what path to take here. I don’t see the traefik configmap in use anymore and posted this question to StackOverflow. I want to be able to configure enabling the dashboard outside of the cluster itself, because I am automating the setup, so modifying files in a pod isn’t a solution. I’ve heard reference to k3s configuration manifests under “/var/…rancher/k3s/…” directory, but I’m using k3d and can’t find any such directory.

12

I updated the SO question with additional details. I don’t want to disable the default traefik installation and install my own, because 1) k3d/k3s already upgraded to Traefik 2 and 2) I don’t want to have to manage “yet another thing”. There has to be a simple way to expose the dashboard…

13

Hi,

I have similar issue, I’m using latest k3s 1.21.4+.

The file /var/lib/rancher/k3s/server/manifests/traefik.yaml was created by k3s installer. Here is the content

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-9.18.2.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-9.18.2.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    rbac:
      enabled: true
    ports:
      websecure:
        tls:
          enabled: true
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/library-traefik"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"

By command kubectl describe pod traefik-97b124b394-rr7mm -n kube-system, it prints

Name:                 traefik-97b44b794-rr7mm
Namespace:            kube-system
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Node:                 ip-172-31-39-13.us-east-2.compute.internal/172.31.39.13
Start Time:           Wed, 01 Sep 2021 12:17:14 +0000
Labels:               app.kubernetes.io/instance=traefik
                      app.kubernetes.io/managed-by=Helm
                      app.kubernetes.io/name=traefik
                      helm.sh/chart=traefik-9.18.2
                      pod-template-hash=97b44b794
Annotations:          <none>
Status:               Running
IP:                   10.42.0.12
IPs:
  IP:           10.42.0.12
Controlled By:  ReplicaSet/traefik-97b44b794
Containers:
  traefik:
    Container ID:  containerd://b57c730cce4fff965c50bd2a5d822c09fd2a91d211a33acf410f59f326595190
    Image:         rancher/library-traefik:2.4.8
    Image ID:      docker.io/rancher/library-traefik@sha256:343de3610780fc88b04eeb2145cbf8189e8f6278c2061de4a1e10de31711c252
    Ports:         9000/TCP, 8000/TCP, 8443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Args:
      --global.checknewversion
      --global.sendanonymoususage
      --entryPoints.traefik.address=:9000/tcp
      --entryPoints.web.address=:8000/tcp
      --entryPoints.websecure.address=:8443/tcp
      --api.dashboard=true
      --ping=true
      --providers.kubernetescrd
      --providers.kubernetesingress
      --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik
      --entrypoints.websecure.http.tls=true
    State:          Running
      Started:      Wed, 01 Sep 2021 12:17:19 +0000
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:9000/ping delay=10s timeout=2s period=10s #success=1 #failure=3
    Readiness:      http-get http://:9000/ping delay=10s timeout=2s period=10s #success=1 #failure=1
    Environment:    <none>
    Mounts:
      /data from data (rw)
      /tmp from tmp (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-4zsj2 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  data:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  kube-api-access-4zsj2:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 CriticalAddonsOnly op=Exists
                             node-role.kubernetes.io/control-plane:NoSchedule op=Exists
                             node-role.kubernetes.io/master:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:                      <none>

The line --api.dashboard=true means dashboard should have been enabled, but I couldn’t see any pod has a name traefik-dashboard.

Any suggestion is welcomed.

1 Like
14

I found a solution and hopefully someone find a better one soon

  1. you need to control your k3s cluster from your pc and not to ssh into master node, so add /etc/rancher/k3s/k3s.yaml into your local ~/.kube/config (in order to port forward in last step into your pc)
  2. now get your pod name as follows:

kubectl get pod -n kube-system

and seach for traefik-something-somethingElse mine was traefik-97b44b794-bsvjn

  1. now this part is needed from your local pc

kubectl port-forward traefik-97b44b794-bsvjn -n kube-system 9000:9000

  1. get http://localhost:9000/dashboard/ in your favorite browser and don’t forget the second slash
  2. enjoy the dashboard

please note you have to enable the dashboard first in /var/lib/rancher/k3s/server/manifests/traefik.yaml by adding

dashboard:
  enabled: true
1 Like
15

Alternatively, you can also add the following to the traefik.yaml file referenced above:

valuesContent: |-
  dashboard:
    enabled: true
  ports:
    traefik:
      expose: true

Be warned, there’s a note in the traefik helm chart that suggests not exposing the dashboard in a production environment. For my personal lab this works fine. Reference: traefik-helm-chart/values.yaml at v9.18.2 · traefik/traefik-helm-chart · GitHub

16

Maybe things have changed, running:

$ k3s --version
k3s version v1.23.3+k3s1 (5fb370e5)
go version go1.17.5

When I describe the Traefik pod, it shows API is enabled and which entrypoints its listening on:

    Args:
      --global.checknewversion
      --global.sendanonymoususage
      --entryPoints.metrics.address=:9100/tcp
      --entryPoints.traefik.address=:9000/tcp
      --entryPoints.web.address=:8000/tcp
      --entryPoints.websecure.address=:8443/tcp
      --api.dashboard=true
      --ping=true
      --metrics.prometheus=true
      --metrics.prometheus.entrypoint=metrics
      --providers.kubernetescrd
      --providers.kubernetesingress
      --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik
      --entrypoints.websecure.http.tls=true

Being Traefik is an ingress router, all I did was create an Ingress rule to access the Dashboard in name space “kube-system”. I used entrypoint websecure since I already have LetsEncrypt working, you can change to just web.

$ cat traefik_ingress.yaml 
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard-ingressroute
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`PUT_your_domain_name_HERE`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService

Apply the yaml file:

$ kubectl apply -f traefik_ingress.yaml 
ingressroute.traefik.containo.us/dashboard-ingressroute created

And then point my web browser to https://mydomain/dashboard and the dashboard comes right up.

1 Like