Site can not be reached problem while accessing on local laptop from deployed kubernetes dashboard service on remote machine

12/30/2019

When I am trying to access the Kubernetes dashboard service from my local laptop, I am getting the message that site can not be reached.

Procedure followed:

I followed the documentation from the following link,

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

I created my cluster with one master and one worker node on my premise machine. Each machine is ubuntu 16.04. And I installed kubectl and accessing this cluster from my control vm where I am running Jenkins for ci/cd pipeline. From this control vm I followed to bind the clusterrole and deployed the Kubernetes dashboard as explained in the documentation.

I run the following command for deploying the default dashboard service from my control vm by using kuectl command (outside the cluster):

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml

I created the role binding yaml dashboard-adminuser.yaml with following content ,

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

And created this by using the following command:

 kubectl apply -f dashboard-adminuser.yaml

Accessed the token by using following command:

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

And run the following command for serving the dashboard service:

kubectl proxy

When I run the command showing "Starting serving on 127.0.0.1:8001".

And I tried to access the dashboard by putting the following URL on browser,

http://192.168.16.170:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

But I am only getting the message that site can not be reached.

Updates

Now I am trying to access using NodePort mechanism by editing the dashboard service type to NodePort type. When I am trying to access the URL , I am getting the error like "your connection is not private". I am adding the screenshot below,

enter image description here

Where have I gone wrong?

-- Jacob
dashboard
kubernetes

2 Answers

12/30/2019

You need to change the service type to NodePort to access it from your local.

NodePort

This way of accessing Dashboard is only recommended for development environments in a single node setup.

Edit kubernetes-dashboard service.

$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.

apiVersion: v1
...
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  resourceVersion: "343478"
  selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes- 
  dashboard
  uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
  clusterIP: 10.100.124.90
  externalTrafficPolicy: Cluster
  ports:
   - port: 443
     protocol: TCP
     targetPort: 8443
  selector:
   k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Next we need to check port on which Dashboard was exposed.

$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard

NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        
AGE
kubernetes-dashboard   NodePort   10.100.124.90   <nodes>       443:31707/TCP   
21h

Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info. Usually it is either 127.0.0.1 or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed.

In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort> you should access https://<node-ip>:<nodePort>.

-- Nandu Raj
Source: StackOverflow

12/30/2019

The UI can only be accessed from the machine where the command(kubectl proxy) is executed. In that machine try

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Edit:

Otherwise use nodeport mechanism for accessing it without using kubectl proxy

https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/1.7.x-and-above.md#nodeport

Update:

Accessing the the dashboard using kubectl proxy

Run kubectl proxy and then access

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/overview?namespace=default

I used a token for auth and here is now I created the token:

# Create the service account in the current namespace 
# (we assume default)
kubectl create serviceaccount my-dashboard-sa
# Give that service account root on the cluster
kubectl create clusterrolebinding my-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=default:my-dashboard-sa
# Find the secret that was created to hold the token for the SA
kubectl get secrets
# Show the contents of the secret to extract the token
kubectl describe secret my-dashboard-sa-token-xxxxx

Accessing the dashboard via publicly exposed API Server

Use this url in browser https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

This will give you below error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

To solve above error apply below yaml to configure RBAC:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

You will still need either a kubeconfig or a token to access. Token can be created by mechanism described above.

-- Arghya Sadhu
Source: StackOverflow