Remove Kubernetes Dashboard support (#12858)

docs/ansible/ansible.md

@@ -78,7 +78,6 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
-| dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |

docs/getting_started/getting-started.md

@@ -83,32 +83,6 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
 
-## Accessing Kubernetes Dashboard
-
-Supported version is kubernetes-dashboard v2.0.x :
-
-- Login option : token/kubeconfig by default
-- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
-- Only serves over https
-
-Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
-
-- Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
-- kubectl commands must be run with "-n kube-system"
-
-Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
-
-For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
-
-Access can also by achieved via ssh tunnel on a control plane :
-
-```bash
-# localhost:8081 will be sent to control-plane-1's own localhost:8081
-ssh -L8001:localhost:8001 user@control-plane-1
-sudo -i
-kubectl proxy
-```
-
 ## Accessing Kubernetes API
 
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -1,8 +1,4 @@
 ---
-# Kubernetes dashboard
-# RBAC required. see docs/getting-started.md for access details.
-# dashboard_enabled: false
-
 # Helm deployment
 helm_enabled: false
 

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -119,29 +119,5 @@ netchecker_agent_log_level: 5
 netchecker_server_log_level: 5
 netchecker_etcd_log_level: info
 
-# Dashboard
-dashboard_replicas: 1
-
-# Namespace for dashboard
-dashboard_namespace: kube-system
-
-# Limits for dashboard
-dashboard_cpu_limit: 100m
-dashboard_memory_limit: 256M
-dashboard_cpu_requests: 50m
-dashboard_memory_requests: 64M
-
-# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
-# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
-dashboard_use_custom_certs: false
-dashboard_certs_secret_name: kubernetes-dashboard-certs
-dashboard_tls_key_file: dashboard.key
-dashboard_tls_cert_file: dashboard.crt
-dashboard_master_toleration: true
-
-# Override dashboard default settings
-dashboard_token_ttl: 900
-dashboard_skip_login: false
-
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -109,15 +109,3 @@
     - netchecker-server-clusterrolebinding.yml.j2
     - netchecker-server-deployment.yml.j2
     - netchecker-server-svc.yml.j2
-
-- name: Kubernetes Apps | Dashboard
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ dashboard_namespace }}"
-  when: dashboard_enabled
-  tags:
-    - dashboard

roles/kubernetes-apps/ansible/templates/dashboard.yml.j2

@@ -1,323 +0,0 @@
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Configuration to deploy release version of the Dashboard UI compatible with
-# Kubernetes 1.8.
-#
-# Example usage: kubectl create -f <this_file>
-
-{% if k8s_namespace != 'kube-system' %}
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ k8s_namespace }}
-  labels:
-    name: {{ k8s_namespace }}
-{% endif %}
----
-# ------------------- Dashboard Secrets ------------------- #
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-certs
-type: Opaque
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-csrf
-type: Opaque
-data:
-  csrf: ""
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-key-holder
-type: Opaque
-
----
-# ------------------- Dashboard ConfigMap ------------------- #
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-settings
-
----
-# ------------------- Dashboard Service Account ------------------- #
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-
----
-# ------------------- Dashboard Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
-    verbs: ["get", "update", "delete"]
-    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["kubernetes-dashboard-settings"]
-    verbs: ["get", "update"]
-    # Allow Dashboard to get metrics.
-  - apiGroups: [""]
-    resources: ["services"]
-    resourceNames: ["heapster", "dashboard-metrics-scraper"]
-    verbs: ["proxy"]
-  - apiGroups: [""]
-    resources: ["services/proxy"]
-    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
-    verbs: ["get"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
----
-# ------------------- Dashboard Deployment ------------------- #
-
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  replicas: {{ dashboard_replicas }}
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-dashboard
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-dashboard
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-dashboard
-          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ dashboard_cpu_limit }}
-              memory: {{ dashboard_memory_limit }}
-            requests:
-              cpu: {{ dashboard_cpu_requests }}
-              memory: {{ dashboard_memory_requests }}
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-          args:
-            - --namespace={{ k8s_namespace }}
-{% if dashboard_use_custom_certs %}
-            - --tls-key-file={{ dashboard_tls_key_file }}
-            - --tls-cert-file={{ dashboard_tls_cert_file }}
-{% else %}
-            - --auto-generate-certificates
-{% endif %}
-{% if dashboard_skip_login %}
-            - --enable-skip-login
-{% endif %}
-            - --authentication-mode=token
-            # Uncomment the following line to manually specify Kubernetes API server Host
-            # If not specified, Dashboard will attempt to auto discover the API server and connect
-            # to it. Uncomment only if the default does not work.
-            # - --apiserver-host=http://my-address:port
-            - --token-ttl={{ dashboard_token_ttl }}
-          volumeMounts:
-            - name: kubernetes-dashboard-certs
-              mountPath: /certs
-              # Create on-disk volume to store exec logs
-            - mountPath: /tmp
-              name: tmp-volume
-          livenessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /
-              port: 8443
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-      volumes:
-        - name: kubernetes-dashboard-certs
-          secret:
-            secretName: {{ dashboard_certs_secret_name }}
-        - name: tmp-volume
-          emptyDir: {}
-      serviceAccountName: kubernetes-dashboard
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}
-
----
-# ------------------- Dashboard Service ------------------- #
-
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  ports:
-    - port: 443
-      targetPort: 8443
-  selector:
-    k8s-app: kubernetes-dashboard
-
----
-# ------------------- Metrics Scraper Service Account ------------------- #
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Metrics Scraper to get metrics from the Metrics server
-  - apiGroups: ["metrics.k8s.io"]
-    resources: ["pods", "nodes"]
-    verbs: ["get", "list", "watch"]
-
----
-
-# ------------------- Metrics Scraper Service  ------------------- #
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: dashboard-metrics-scraper
-spec:
-  ports:
-    - port: 8000
-      targetPort: 8000
-  selector:
-    k8s-app: kubernetes-metrics-scraper
-
----
-
-# ------------------- Metrics Scraper Deployment  ------------------- #
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: kubernetes-metrics-scraper
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-metrics-scraper
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-metrics-scraper
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-metrics-scraper
-          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
-          ports:
-            - containerPort: 8000
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /
-              port: 8000
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-          volumeMounts:
-          - mountPath: /tmp
-            name: tmp-volume
-      serviceAccountName: kubernetes-dashboard
-      volumes:
-      - name: tmp-volume
-        emptyDir: {}
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}

roles/kubespray_defaults/defaults/main/download.yml

@@ -376,11 +376,6 @@ gcp_pd_csi_attacher_image_tag: "v2.1.1-gke.0"
 gcp_pd_csi_resizer_image_tag: "v0.4.0-gke.0"
 gcp_pd_csi_registrar_image_tag: "v1.2.0-gke.0"
 
-dashboard_image_repo: "{{ docker_image_repo }}/kubernetesui/dashboard"
-dashboard_image_tag: "v2.7.0"
-dashboard_metrics_scraper_repo: "{{ docker_image_repo }}/kubernetesui/metrics-scraper"
-dashboard_metrics_scraper_tag: "v1.0.8"
-
 metallb_speaker_image_repo: "{{ quay_image_repo }}/metallb/speaker"
 metallb_controller_image_repo: "{{ quay_image_repo }}/metallb/controller"
 metallb_version: 0.13.9
@@ -1074,24 +1069,6 @@ downloads:
     groups:
       - kube_node
 
-  dashboard:
-    enabled: "{{ dashboard_enabled }}"
-    container: true
-    repo: "{{ dashboard_image_repo }}"
-    tag: "{{ dashboard_image_tag }}"
-    checksum: "{{ dashboard_digest_checksum | default(None) }}"
-    groups:
-      - kube_control_plane
-
-  dashboard_metrics_scrapper:
-    enabled: "{{ dashboard_enabled }}"
-    container: true
-    repo: "{{ dashboard_metrics_scraper_repo }}"
-    tag: "{{ dashboard_metrics_scraper_tag }}"
-    checksum: "{{ dashboard_digest_checksum | default(None) }}"
-    groups:
-      - kube_control_plane
-
   metallb_speaker:
     enabled: "{{ metallb_speaker_enabled }}"
     container: true

roles/kubespray_defaults/defaults/main/main.yml

@@ -436,10 +436,6 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 # K8s image pull policy (imagePullPolicy)
 k8s_image_pull_policy: IfNotPresent
 
-# Kubernetes dashboard
-# RBAC required. see docs/getting-started.md for access details.
-dashboard_enabled: false
-
 # Addons which can be enabled
 helm_enabled: false
 registry_enabled: false

roles/validate_inventory/tasks/main.yml

@@ -76,13 +76,6 @@
     - kube_network_plugin not in ['calico', 'none']
     - ipv4_stack | bool
 
-- name: Stop if RBAC is not enabled when dashboard is enabled
-  assert:
-    that: rbac_enabled
-  when:
-    - dashboard_enabled
-    - not ignore_assert_errors
-
 - name: Check cloud_provider value
   assert:
     that: cloud_provider == 'external'

tests/files/almalinux9-calico.yml

@@ -5,8 +5,6 @@ vm_memory: 3072
 
 # Kubespray settings
 metrics_server_enabled: true
-dashboard_namespace: "kube-dashboard"
-dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy
 local_path_provisioner_enabled: true
 

tests/files/flatcar4081-calico.yml

@@ -6,6 +6,4 @@ vm_memory: 3072
 
 # Kubespray settings
 metrics_server_enabled: true
-dashboard_namespace: "kube-dashboard"
-dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy

tests/files/rockylinux10-calico.yml

@@ -5,6 +5,4 @@ vm_memory: 3072
 
 # Kubespray settings
 metrics_server_enabled: true
-dashboard_namespace: "kube-dashboard"
-dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy

tests/files/rockylinux9-calico.yml

@@ -5,6 +5,4 @@ vm_memory: 3072
 
 # Kubespray settings
 metrics_server_enabled: true
-dashboard_namespace: "kube-dashboard"
-dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy