Professional Documents
Culture Documents
com/kubernetes/dashboard/issues/2854
Labels lifecycle/frozen
1 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
Environment
I have seen many similar error reports and tried to follow the advice, but no, it does not work for me. The
guide here https://github.com/kubernetes/dashboard seem to be overly simplistic. There is a lot more
documentation on authentication, but it remains unclear how much of that is needed to simply get access
to the GUI in a lab environment.
Steps to reproduce
Install cluster:
sudo kubeadm init --kubernetes-version=$KUBEVERSION --apiserver-advertise-address=$HOSTIP
mkdir -p $HOME/.kube
sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown (id − u) :(id -g) $HOME/.kube/config
Install Dashboard:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy
/recommended/kubernetes-dashboard.yaml
Run proxy:
kubectl proxy
Observed result
Error: 'Forbidden'
Trying to reach: 'https://192.168.216.47:8443/'
Expected result
Some HTML
Comments
2 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
I'm assuming that this Forbidden error comes from apiserver and is not related to Dashboard at all. Try to
access some other application through service proxy i.e. http://localhost:8001/api/v1/namespaces/kube-
system/services/grafana/proxy/ . If you will see the same error then you have to configure your cluster
and cluster user properly first, before accessing any applications.
� 3
I can access other APIs without getting "Forbidden"; the one you mentioned:
$ curl http://localhost:8001/api/v1/namespaces/kube-system/services/grafana/proxy/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"grafana\" not found",
"reason": "NotFound",
"details": {
"name": "grafana",
"kind": "services"
},
"code": 404
}
That was only an example. I don't know what applications you have installed in your cluster. Grafana
3 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
service clearly does not even exist that is why different error is thrown. Try to access application through
service that actually exists...
Well, maybe I'm completely off now but you suggested the error comes from the API server and I am
trying to demonstrate that I can interact with the API server through the proxy without getting a
"Forbidden". Here is another example:
$ curl http://localhost:8001/api/v1/namespaces/kube-system/services/kube-dns
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "kube-dns",
...
}
}
I do not have any "applications" in that cluster yet. The fault is reproducible with the actual steps I listed,
so I am really working on a fresh new cluster.
Privileges for services and services/xxx/proxy are granted by different rules. This doesn't prove you
have access.
I see.
$ curl http://localhost:8001/api/v1/namespaces/monitoring/services/grafana/proxy/
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
(...)
Works too.
4 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
# Kubeadm
$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3
# Kubectl
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be
To start using your cluster, you need to run the following as a regular user:
5 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You can now join any number of machines by running the following on each node
as root:
# In a different shell
$ kubectl proxy
Starting to serve on 127.0.0.1:8001
$ curl http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
<!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title ng-controller=
<p class="browsehappy">You are using an <strong>outdated</strong> browser.
Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
experience.</p>
<![endif]--> <kd-login layout="column" layout-fill="" ng-if="$ctrl.isLoginState()"> </kd-login
6 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
Very strange. When I try the same commands I get different results. What could it be? Some pre-existing
software on the host? Proxy settings? Here is my sequence of commands with full printouts.
7 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for
nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically
approve CSRs from a Node Bootstrap Token
[bootstraptoken] Configured RBAC rules to allow certificate rotation for all node client
certificates in the cluster
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You can now join any number of machines by running the following on each node
as root:
8 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
Definitely looks like something is blocking the traffic and I think request does not even reach the
Dashboard. It might be some preexisting configuration or maybe it is some IP class mismatch as error
shows 192.xxx and advertise address is in 10.xxx class.
192.168.216.61 is the dashboard's endpoint IP address. When I try to curl to the pod directly, I get a
sequence of characters that notepad++ translates into NAK,ETX,SOH,STX,STX, see below.
I also checked the logs of the dashboard pod, but there is nothing but an endless sequence of "Metric
client health check failed: the server could not find the requested resource (get services heapster).
Retrying in 30 seconds."
9 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
TargetPort: 8443/TCP
Endpoints: 192.168.216.61:8443
Session Affinity: None
Events: <none>
10 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
Tolerations: node-role.kubernetes.io/master:NoSchedule
node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
http://192.168.216.61:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:
/proxy/
Here, you are trying to connect to a HTTPS endpoint using HTTP protocol. That is why it is throwing this
weird series of characters. It should start with https://... .
So what's the URL I should be using? This does not seem to work either.
This message is correct. Dashboard pod IP is 192.168.216.61 and it points you directly to Dashboard.
api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ suffix is required when
you want to access some app through API server proxy. Here you are connecting directly to the app. You
just need to use <podIP>:<applicationPort> .
Tried things in a VM that is not behind a proxy and everything works fine. Note though that I did have
localhost, host_IP, and 10.96.0.0/12 included in the no_proxy env and also "kubeadm init" did not give a
proxy warning.
11 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
@danielcra - so what was the fix? By proxy you mean corporate proxy you are behind? Did you add pod’s
cluster ip to no_proxy env variable on your client - it doesn’t make sense to me
I was also suffering from this problem, and was able to solve it.
The root cause is that the file /etc/kubernetes/manifests/kube-apiserver.yaml had an env: section
where the proxy environment variables were set. kubectl proxy is going via the API server, so any
subsequent requests by the API server reverse proxy were using the defined proxy server (and possibly
ignoring the no_proxy setting).
Given that the API server doesn't usually need to use an external proxy for anything, the solution was to
simply delete the env: section from kube-apiserver.yaml and then run sudo systemctl restart
kubelet to trigger the launch of a fresh non-proxy-using API server.
� 1
@dhague
HI, flow your recommended ,show below error:
http: proxy error: dial tcp xxx.xxx.xxx.xxx:6443: getsockopt: connection refused
Hi folks, my issue is a little different and yet may still have some relevance to what has been discussed
here so far, so let me share it with you all.
My cluster runs on three VMware VMs, the control plane is on ubun1811 (192.168.42.161/24)
In order to reach dashboard from a remote host, I did the following:
1. Edited /etc/kubernetes/manifests/kube-apiserver.yaml to have the these two entries under spec ->
containers -> command -> kube-apiserver
◦ --advertise-address=192.168.42.161
• --etcd-servers=https://192.168.42.161:2379
Restart kubelet after the change
12 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
I will continue trouble-shooting and see what’s missing in my dashboard. Let anyone can shed a light on
the remaining issue for me, it would be greatly appreciated!
� 9
The same thing happened to me, but fixed it after starting the proxy service disabling request filtering
kubectl proxy --disable-filter=true --address='192.168.0.27', also specifying the IP address just to not use
localhost
� 14 � 6
Thanks, @lloverarcpedro, passing --disable-filter=true worked for me as well, for accessing the
dashboard a microk8s setup on an off-host VM.
� 3
My issue is
I installed the Kubernetes cluster in the ubuntu 18.04 LTS server and complete all the necessary process
required to use the Kubernetes dashboard
I started kubelet proxy to my VM's IP address (kubelet proxy --address=192.168.x.xxx) and trying to
13 of 14 9/30/2022, 1:43 PM
Unable to access Dashboard ("Forbidden") · Issue #2854 · kubernetes/d... https://github.com/kubernetes/dashboard/issues/2854
� 2
If you just want to accept arbitrary hosts, then you can do something like --accept-hosts="^.*$" instead
of --disable-filter=true . It looks like disabling filter also disables anything you specify for --accept-
paths , --reject-methods , and --reject-paths which you'll probably want to configure a bit if you're
accepting arbitrary hosts
� 4
Assignees
No one assigned
Labels
lifecycle/frozen
Projects
None yet
Milestone
No milestone
Development
11 participants
14 of 14 9/30/2022, 1:43 PM