K
Q

Kubernetes Dashboard "is forbidden" all over the site

1/25/2018

enter image description here

I get "is forbidden" all over the dashboard site in Kubernetes*(See image)

To reproduce:

  1. Create a Google Kubernetes Cluster via the site, not from shell.

  2. Select Kubernetes version 1.8.6

  3. Open shell via the connect button: gcloud container clusters get-credentials cluster-1 --zone us-central1-a --project awear-cloud

  4. Kubectl proxy

  5. echo http://127.0.0.1:8001/ui

  6. click the link from echo

Note: also tried: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Do you know why?

-- Chris G.
google-kubernetes-engine
kubernetes

Similar Questions

NodePort services not available on all nodes
GKE with Ingress setup always gives status UNHEALTHY
Log flood after master upgrade from 1.6.13-gke.0 to 1.7.11-gke.1
Whats the best way for stage-specific K8s config?

2 Answers

1/25/2018

It looks like your cluster is RBAC enabled and the dashboard is missing a service account defined in the dashboard pod(s). You should be able to easily mitigate this issue by adding this SA and it's Roles/Bindings. Why is it not created in the first place is a mystery for me, unless you maybe specified something like ie. legacy auth.

-- Radek 'Goblin' Pieczonka
Source: StackOverflow
7/19/2019

1 - Create a file sa.yaml and paste the contents below into it.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system

2 - Apply it - kubectl apply -f sa.yaml

3 - Create a file rbac.yaml and paste the contents below into it.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

4 - Apply it - kubectl apply -f rbac.yaml

5 - Now, login to your dashboard.

Let me know if this works.

-- Tushar Sonawane
Source: StackOverflow