When I am trying to access the Kubernetes dashboard service from my local laptop, I am getting the message that site can not be reached.
Procedure followed:
I followed the documentation from the following link,
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
I created my cluster with one master and one worker node on my premise machine. Each machine is ubuntu 16.04. And I installed kubectl and accessing this cluster from my control vm where I am running Jenkins for ci/cd pipeline. From this control vm I followed to bind the clusterrole and deployed the Kubernetes dashboard as explained in the documentation.
I run the following command for deploying the default dashboard service from my control vm by using kuectl command (outside the cluster):
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
I created the role binding yaml dashboard-adminuser.yaml
with following content ,
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
And created this by using the following command:
kubectl apply -f dashboard-adminuser.yaml
Accessed the token by using following command:
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
And run the following command for serving the dashboard service:
kubectl proxy
When I run the command showing "Starting serving on 127.0.0.1:8001".
And I tried to access the dashboard by putting the following URL on browser,
http://192.168.16.170:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
But I am only getting the message that site can not be reached.
Updates
Now I am trying to access using NodePort mechanism by editing the dashboard service type to NodePort
type. When I am trying to access the URL , I am getting the error like "your connection is not private". I am adding the screenshot below,
Where have I gone wrong?
You need to change the service type to NodePort to access it from your local.
NodePort
This way of accessing Dashboard is only recommended for development environments in a single node setup.
Edit kubernetes-dashboard service.
$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
apiVersion: v1
...
name: kubernetes-dashboard
namespace: kubernetes-dashboard
resourceVersion: "343478"
selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-
dashboard
uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
clusterIP: 10.100.124.90
externalTrafficPolicy: Cluster
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
Next we need to check port on which Dashboard was exposed.
$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
kubernetes-dashboard NodePort 10.100.124.90 <nodes> 443:31707/TCP
21h
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707
. master-ip can be found by executing kubectl cluster-info. Usually it is either 127.0.0.1 or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed.
In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort>
you should access https://<node-ip>:<nodePort>
.
The UI can only be accessed from the machine where the command(kubectl proxy) is executed. In that machine try
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Edit:
Otherwise use nodeport mechanism for accessing it without using kubectl proxy
Update:
Accessing the the dashboard using kubectl proxy
Run kubectl proxy
and then access
I used a token for auth and here is now I created the token:
# Create the service account in the current namespace
# (we assume default)
kubectl create serviceaccount my-dashboard-sa
# Give that service account root on the cluster
kubectl create clusterrolebinding my-dashboard-sa \
--clusterrole=cluster-admin \
--serviceaccount=default:my-dashboard-sa
# Find the secret that was created to hold the token for the SA
kubectl get secrets
# Show the contents of the secret to extract the token
kubectl describe secret my-dashboard-sa-token-xxxxx
Accessing the dashboard via publicly exposed API Server
Use this url in browser https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
This will give you below error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
To solve above error apply below yaml to configure RBAC:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-anonymous
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard-anonymous
subjects:
- kind: User
name: system:anonymous
You will still need either a kubeconfig or a token to access. Token can be created by mechanism described above.