K
Q

Kubernetes dashboard error using service account token

11/5/2019

I have a Kubernetes cluster with various resources running fine. I am trying to get the Dashboard working but getting the following error when I launch the dashboard and enter the service-account token.

persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"

It does not allow the listing of any resources from my cluster (persistent volumes, pods, ingresses etc). My cluster has multiple namespaces.

This is my service-account yaml file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8s-test # replace with your preferred username
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dashboard-admin # replace with your preferred username
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: dashboard-admin # replace with your preferred username
  namespace: kube-system

Any help is appreciated.

-- Rutnet
kubernetes
kubernetes-dashboard

Similar Questions

Is it possible to have only one ingress routing traffic to different services on different namespaces on GKE?
Not able to connect tp SQL Server database from ASP.NET Core app inside a Docker container
Next.js with Nginx on Kubernetes
Kubernetes pod distribution amongst nodes with preferred mode
0 response code on prometheus reporting for WATCH operations against kubernetes apiserver

2 Answers

11/6/2019

I would recommend using Web UI (Dashboard) documentation from Kubernetes.

Deploying the Dashboard UI

The Dashboard UI is not deployed by default. To deploy it, run the following command:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml

From your yaml I can see that you specified them for namespace kube-system but dashboard is trying to list resources from namespace default, at least that's what is says in your error message.

Also it seems your yaml is also incorrect for ServiceAccount name, as in the file you have k8s-test and error message says it's using kubernetes-dashboard.

-- Crou
Source: StackOverflow
12/10/2019

FIX: Create a Role Binding for the cluster role.

This should fix the problem:

kubectl delete clusterrole cluster-admin
kubectl delete clusterrolebinding kubernetes-dashboard 
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard

The above command will create a role binding that gives all permissions to all resources.

Run the Proxy:

kubectl proxy

Check the DashBoard: Please check the URL and port provided by kubectl

http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/persistentvolume?namespace=default

More info: Cluster role:

  • You can check out the 'cluster-admin' role by:

    kubectl edit clusterrole cluster-admin

The problem here is that the serviceaccount 'kubernetes-dashboard' does not have 'list' permissions for the resource 'persistentVolumeClaims'.

-- Ashwani Jha
Source: StackOverflow