K3s, the super-lightweight Kubernetes distribution, packs a surprising punch, and its built-in dashboard is a prime example of how much utility you can cram into a small package.
Here’s a look at the K3s dashboard in action. Imagine you’ve just spun up a K3s cluster on a Raspberry Pi or a tiny VPS. You’ve got your kubectl configured, but you want a visual way to see what’s going on without diving into YAML.
# On your K3s server node
curl -sfL https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml -o kubernetes-dashboard.yaml
kubectl apply -f kubernetes-dashboard.yaml
This downloads the official Kubernetes Dashboard manifest and applies it to your K3s cluster. K3s, being K3s, will likely handle this with minimal fuss.
Now, to access it, you need a way to bypass the usual Kubernetes Ingress setup, especially on a single-node K3s instance. K3s often uses a service of type LoadBalancer or NodePort for its ingress controller. Let’s assume you’re using the default K3s ingress and want to expose the dashboard.
First, you’ll need to create a ClusterIP service for the dashboard and then an Ingress resource to route traffic to it.
# dashboard-ingress.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-svc
namespace: kubernetes-dashboard
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- protocol: TCP
port: 443
targetPort: 8443 # The dashboard pod listens on 8443
type: ClusterIP # We'll use Ingress to expose it
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
# K3s ingress controller specific annotations
# If you're using Traefik (default in K3s):
traefik.ingress.kubernetes.io/router.entrypoints: websecure # Use HTTPS
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- secretName: k3s-dashboard-tls # You'll need to create this
hosts:
- dashboard.k3s.local # Or your chosen hostname
rules:
- host: dashboard.k3s.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard-svc
port:
number: 443
Apply this:
kubectl apply -f dashboard-ingress.yaml
You’ll need to create a TLS secret for k3s-dashboard-tls. For local testing, you can generate a self-signed certificate:
# Create a self-signed certificate and key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=dashboard.k3s.local"
# Create the Kubernetes secret
kubectl create secret tls k3s-dashboard-tls \
--cert tls.crt \
--key tls.key \
--namespace kubernetes-dashboard
Now, you’ll need to edit your /etc/hosts file on your local machine to point dashboard.k3s.local to your K3s server’s IP address.
YOUR_K3S_SERVER_IP dashboard.k3s.local
Access https://dashboard.k3s.local in your browser. You’ll likely get a certificate warning because it’s self-signed. Proceed, and you’ll see the K3s dashboard login.
The dashboard provides a real-time overview of your cluster’s state: pods, deployments, nodes, services, and more. You can click into any resource to see its details, logs, and events. It’s a powerful tool for understanding resource utilization, troubleshooting pod issues, and getting a general feel for your cluster’s health, all without touching a command line.
The mental model here is that the Kubernetes Dashboard is just another application deployed into your cluster. K3s, with its integrated ingress controller (usually Traefik), acts as the gateway. You define how external traffic reaches this internal service using an Ingress resource. The crucial part is mapping the dashboard’s internal service (which has a ClusterIP) to an external-facing endpoint via the Ingress, and securing it with TLS.
The most surprising thing about the K3s dashboard is how easily it integrates into its lightweight ecosystem. Many lightweight Kubernetes solutions omit a dashboard by default to keep the footprint minimal. K3s, however, includes it as a standard component, accessible with a few straightforward steps, demonstrating its "batteries included" philosophy. It doesn’t just run Kubernetes; it provides the essential tools to manage it effectively out-of-the-box.
When troubleshooting access, remember that the dashboard pod itself listens on port 8443. Your Service definition needs to correctly map the service port (e.g., 443) to this targetPort. If your Ingress uses a different entrypoint or TLS configuration, ensure those annotations are correct for your specific K3s ingress setup. The default K3s ingress controller is Traefik, so annotations starting with traefik.ingress.kubernetes.io/ are common.
The next concept you’ll likely explore is custom resource definitions (CRDs) and how they are visualized within the dashboard, or perhaps how to set up more granular RBAC for dashboard users.