K
Q

services is forbidden: User \"system:anonymous\" cannot list services in the namespace \"kube-system\

8/24/2018

I have created a fresh kubernetes cluster on VirtualBox. I have one master node and two worker nodes. I want to use the dashboard but I get error. When I run kubectl proxy the master start listening on port 8001:

Starting to serve on 127.0.0.1:8001

and then I create a SSH tunnel on my host:

ssh user@10.10.10.50 -N -L 8001:127.0.0.1:8001

but when I type localhost:8001/ui on the browser I get this:

{
  "paths": [
    "/apis",
    "/apis/",
    "/apis/apiextensions.k8s.io",
    "/apis/apiextensions.k8s.io/v1beta1",
    "/healthz",
    "/healthz/etcd",
    "/healthz/ping",
    "/healthz/poststarthook/generic-apiserver-start-informers",
    "/healthz/poststarthook/start-apiextensions-controllers",
    "/healthz/poststarthook/start-apiextensions-informers",
    "/metrics",
    "/openapi/v2",
    "/swagger-2.0.0.json",
    "/swagger-2.0.0.pb-v1",
    "/swagger-2.0.0.pb-v1.gz",
    "/swagger.json",
    "/swaggerapi",
    "/version"
  ]
}

And if I want to get into the dashboard through api directly :

https://10.10.10.50:6443/api/v1/namespaces/kube-system/services

I get this error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services is forbidden: User \"system:anonymous\" cannot list services in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403
}

I know this is related to authentication but I don't know how should I define username/password on my cluster or share keys among master nodes and my host. Or how should I use the keys inside .kube/config file.

-- Sinai
kubernetes
kubernetes-dashboard
linux
ubuntu-16.04

Similar Questions

Kubelet could not register to master after the hostname changed
how to make kuberbetes external can access the redis cluster?
Persistent Volumes & Claims & Replicas in Helm recommended approach
Kuberntes SSL for Service of Type LoadBalancer
how to access external service using the minikube host's public ip address

1 Answer

8/24/2018

I want to use the dashboard but I get error.

According to the excerpts from the dashboard documentation, after successful default installation of the dashboard (the default Dashboard deployment contains a minimal set of RBAC privileges needed to run):

  • To access Dashboard from your local workstation you must create a secure channel to your Kubernetes cluster. Run the following command:

    kubectl proxy

  • Now access Dashboard at:

    http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

No need to make tunnel, or any other change. So far default installation of dashboard always worked like a charm, if you have anything configured separately then there might be some issue...

-- Const
Source: StackOverflow