New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Response "Unauthorized" #692

Closed
ScubaDrew opened this Issue Apr 28, 2016 · 113 comments

Comments

Projects
None yet
@ScubaDrew

ScubaDrew commented Apr 28, 2016

Issue details

I followed the steps to install and setup the proxy as detailed in the README.md

When I point my webbrowser at the proxy address I just get back an "unauthorized" response.

Environment

Dashboard version: latest as of 5/28/16
Kubernetes version: 1.2.2
Operating system: core

Steps to reproduce
  1. setup cluster on AWS per https://coreos.com/kubernetes/docs/latest/kubernetes-on-aws.html
  2. install dashboard as described in README.md
  3. I have an ubuntu server that I run kubectl proxy --address="172.20.32.54" --port=9090
  4. point webbrowser on osx system at the ubuntu server address (...32.54 address above), get successful http connection but response is simply "unauthorized"

All other kubectl commands work correctly.

kubectl cluster-info
Kubernetes master is running at https://kub2.drewoconnor.com
Heapster is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/heapster
KubeDNS is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/kube-dns
kubernetes-dashboard is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

Observed result

Unauthorized

Expected result

Dashboard

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk Apr 29, 2016

Collaborator

Can you kubectl get pods --namespace=kube-system and kubectl logs <pod-of-dashboard> --namespace=kube-system?

Collaborator

bryk commented Apr 29, 2016

Can you kubectl get pods --namespace=kube-system and kubectl logs <pod-of-dashboard> --namespace=kube-system?

@ScubaDrew

This comment has been minimized.

Show comment
Hide comment
@ScubaDrew

ScubaDrew Apr 29, 2016

Hi bryk, I found the issue here.

I was using the kubectl proxy command as noted above on an ubuntu server, specifying the IP address in the command. I was when pointing a browser on an OSX machine at the ubuntu server's IP. The connection worked, and I got the unauthorized response. I found that if i used "kubectl --port=9090" and then did a wget to localhost, the request worked as it should.

This appears to be an issue with the proxy command in kubectl. Or perhaps they intended to limit connections to localhost.

I don't believe this is an issue with the web ui.

Thanks,
Drew

ScubaDrew commented Apr 29, 2016

Hi bryk, I found the issue here.

I was using the kubectl proxy command as noted above on an ubuntu server, specifying the IP address in the command. I was when pointing a browser on an OSX machine at the ubuntu server's IP. The connection worked, and I got the unauthorized response. I found that if i used "kubectl --port=9090" and then did a wget to localhost, the request worked as it should.

This appears to be an issue with the proxy command in kubectl. Or perhaps they intended to limit connections to localhost.

I don't believe this is an issue with the web ui.

Thanks,
Drew

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk May 4, 2016

Collaborator

@ScubaDrew Yeah, that's what I expected. I'm closing this issue. Please reopen if needed.

Collaborator

bryk commented May 4, 2016

@ScubaDrew Yeah, that's what I expected. I'm closing this issue. Please reopen if needed.

@bryk bryk closed this May 4, 2016

@EamonZhang

This comment has been minimized.

Show comment
Hide comment
@EamonZhang

EamonZhang May 18, 2016

I have the same issue .

$kubectl proxy --port=9090
Starting to serve on 127.0.0.1:9090
curl 127.0.0.1:9090
<h3>Unauthorized</h3>
curl 127.0.0.1:9090/ui
<a href="/ui/">Moved Permanently</a>.

What can i do, thanks

EamonZhang commented May 18, 2016

I have the same issue .

$kubectl proxy --port=9090
Starting to serve on 127.0.0.1:9090
curl 127.0.0.1:9090
<h3>Unauthorized</h3>
curl 127.0.0.1:9090/ui
<a href="/ui/">Moved Permanently</a>.

What can i do, thanks

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk May 19, 2016

Collaborator

Yeah, that's correct that it is moved permanently. Can you open the URL with a browser?

Collaborator

bryk commented May 19, 2016

Yeah, that's correct that it is moved permanently. Can you open the URL with a browser?

@EamonZhang

This comment has been minimized.

Show comment
Hide comment
@EamonZhang

EamonZhang May 20, 2016

@bryk

$kubectl proxy --address="10.2.0.10"  --port=9090
Starting to serve on 10.2.0.10:9090

or

$kubectl proxy --address="0.0.0.0"  --port=9090
Starting to serve on 0.0.0.0:9090

in browser window

http://10.2.0.10:9090/ui

Unauthorized

EamonZhang commented May 20, 2016

@bryk

$kubectl proxy --address="10.2.0.10"  --port=9090
Starting to serve on 10.2.0.10:9090

or

$kubectl proxy --address="0.0.0.0"  --port=9090
Starting to serve on 0.0.0.0:9090

in browser window

http://10.2.0.10:9090/ui

Unauthorized

@ScubaDrew

This comment has been minimized.

Show comment
Hide comment
@ScubaDrew

ScubaDrew May 20, 2016

@EamonZhang it only works when the url is localhost. Accessing it via IP address is... Unauthorized by design.

ScubaDrew commented May 20, 2016

@EamonZhang it only works when the url is localhost. Accessing it via IP address is... Unauthorized by design.

@EamonZhang

This comment has been minimized.

Show comment
Hide comment
@EamonZhang

EamonZhang May 20, 2016

@ScubaDrew

Server computer have no browser to be used.
Does nginx proxy support . or other measures ?

Thanks

EamonZhang commented May 20, 2016

@ScubaDrew

Server computer have no browser to be used.
Does nginx proxy support . or other measures ?

Thanks

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk May 20, 2016

Collaborator

If your master is publicly accessible you can access it to see the UI: https://master/ui or your clients can use kubectl proxy on their machines. Finally, you can expose the UI as external service and access it from outside world.

Collaborator

bryk commented May 20, 2016

If your master is publicly accessible you can access it to see the UI: https://master/ui or your clients can use kubectl proxy on their machines. Finally, you can expose the UI as external service and access it from outside world.

@hwinkel

This comment has been minimized.

Show comment
Hide comment
@hwinkel

hwinkel Oct 1, 2016

I have the master running on a public IP but get unauthorized un http://ip/ui

the dashboard pod self is not running on the master node. But another one.
kubectl cluster-info does not show the kubernetes-dashboard. But the service is listed and the pod as well

How do I expose the UI? any hints?

hwinkel commented Oct 1, 2016

I have the master running on a public IP but get unauthorized un http://ip/ui

the dashboard pod self is not running on the master node. But another one.
kubectl cluster-info does not show the kubernetes-dashboard. But the service is listed and the pod as well

How do I expose the UI? any hints?

@natejoebott

This comment has been minimized.

Show comment
Hide comment
@natejoebott

natejoebott Oct 3, 2016

I have the same issue as hwinkel above. Just installed K8 and the dashboard per https://github.com/kubernetes/dashboard#kubernetes-dashboard

I get the 'unauthorized" message when accessing https:///ui

I am using a mozilla browser from a windows client, so the kubectl proxy approach doesn't seem appropriate. What I am missing here?

natejoebott commented Oct 3, 2016

I have the same issue as hwinkel above. Just installed K8 and the dashboard per https://github.com/kubernetes/dashboard#kubernetes-dashboard

I get the 'unauthorized" message when accessing https:///ui

I am using a mozilla browser from a windows client, so the kubectl proxy approach doesn't seem appropriate. What I am missing here?

@remonlam

This comment has been minimized.

Show comment
Hide comment
@remonlam

remonlam Oct 3, 2016

Same here running 1.4 installed it following the guide at http://kubernetes.io/docs/getting-started-guides/kubeadm/.

However when installing the dashboard/UI it seems to be running but get an "Unauthorized"

Followed the guide at http://kubernetes.io/docs/user-guide/ui/ to install the UI basically just run "kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml"

kubectl get pods --all-namespaces

NAMESPACE     NAME                                         READY     STATUS    RESTARTS   AGE
kube-system   etcd-kube-master.net.loc                      1/1       Running   1          19m
kube-system   kube-apiserver-kube-master.net.loc            1/1       Running   1          20m
kube-system   kube-controller-manager-kube-master.net.loc   1/1       Running   1          20m
kube-system   kube-discovery-982812725-s79yq                1/1       Running   1          20m
kube-system   kube-dns-2247936740-b9a2o                     3/3       Running   3          20m
kube-system   kube-proxy-amd64-4p9vg                        1/1       Running   1          20m
kube-system   kube-proxy-amd64-cbbrm                        1/1       Running   0          20m
kube-system   kube-proxy-amd64-ela05                        1/1       Running   0          20m
kube-system   kube-scheduler-kube-master.net.loc            1/1       Running   1          19m
kube-system   kubernetes-dashboard-1655269645-arfpw         1/1       Running   0          15m
kube-system   weave-net-cvcgd                               2/2       Running   0          19m
kube-system   weave-net-hxkwf                               2/2       Running   2          19m
kube-system   weave-net-pwuto                               2/2       Running   0          19m

@natejoebott are you running 1.4?

remonlam commented Oct 3, 2016

Same here running 1.4 installed it following the guide at http://kubernetes.io/docs/getting-started-guides/kubeadm/.

However when installing the dashboard/UI it seems to be running but get an "Unauthorized"

Followed the guide at http://kubernetes.io/docs/user-guide/ui/ to install the UI basically just run "kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml"

kubectl get pods --all-namespaces

NAMESPACE     NAME                                         READY     STATUS    RESTARTS   AGE
kube-system   etcd-kube-master.net.loc                      1/1       Running   1          19m
kube-system   kube-apiserver-kube-master.net.loc            1/1       Running   1          20m
kube-system   kube-controller-manager-kube-master.net.loc   1/1       Running   1          20m
kube-system   kube-discovery-982812725-s79yq                1/1       Running   1          20m
kube-system   kube-dns-2247936740-b9a2o                     3/3       Running   3          20m
kube-system   kube-proxy-amd64-4p9vg                        1/1       Running   1          20m
kube-system   kube-proxy-amd64-cbbrm                        1/1       Running   0          20m
kube-system   kube-proxy-amd64-ela05                        1/1       Running   0          20m
kube-system   kube-scheduler-kube-master.net.loc            1/1       Running   1          19m
kube-system   kubernetes-dashboard-1655269645-arfpw         1/1       Running   0          15m
kube-system   weave-net-cvcgd                               2/2       Running   0          19m
kube-system   weave-net-hxkwf                               2/2       Running   2          19m
kube-system   weave-net-pwuto                               2/2       Running   0          19m

@natejoebott are you running 1.4?

@natejoebott

This comment has been minimized.

Show comment
Hide comment
@natejoebott

natejoebott Oct 3, 2016

Right, I too installed it via the beta version of Kubeadm with 1.4. Upon further investigation this may be expected behavior based upon the limitation number 4 - There is not yet an easy way to generate a kubeconfig file which can be used to authenticate to the cluster remotely with kubectl.

natejoebott commented Oct 3, 2016

Right, I too installed it via the beta version of Kubeadm with 1.4. Upon further investigation this may be expected behavior based upon the limitation number 4 - There is not yet an easy way to generate a kubeconfig file which can be used to authenticate to the cluster remotely with kubectl.

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Oct 3, 2016

Contributor

Are people expecting the dashboard to be publicly available without auth? If this were really the case, everyone would be exposing write access for their cluster to the anonymous world. Unless I'm missing a detail here?

Contributor

colemickens commented Oct 3, 2016

Are people expecting the dashboard to be publicly available without auth? If this were really the case, everyone would be exposing write access for their cluster to the anonymous world. Unless I'm missing a detail here?

@natejoebott

This comment has been minimized.

Show comment
Hide comment
@natejoebott

natejoebott Oct 3, 2016

No, but there doesn't seem to be simple way to auth. In the documentation for the dashboard, it provides the follow guidance after installation:
And then navigate to https:///ui
If it asks password, use $ kubectl config view to find it.

I was not prompted for a password, nor does the kubectl config view provide any indication of a password. Next up is using the alternative proxy method; however, only localhost can be used - http://localhost:8001/ui - thus unless you are using a mac or linux host where the kubectl proxy script was invoked will this work.

natejoebott commented Oct 3, 2016

No, but there doesn't seem to be simple way to auth. In the documentation for the dashboard, it provides the follow guidance after installation:
And then navigate to https:///ui
If it asks password, use $ kubectl config view to find it.

I was not prompted for a password, nor does the kubectl config view provide any indication of a password. Next up is using the alternative proxy method; however, only localhost can be used - http://localhost:8001/ui - thus unless you are using a mac or linux host where the kubectl proxy script was invoked will this work.

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Oct 3, 2016

Contributor

Presumably you're using client-cert auth then if there's no password/token in kubeconfig. You can configure your browser to send the relevant client certificate, but it's usually not-straightforward in my experience.

kubectl proxy is certainly easier. There is a build of kubectl for Windows and if you want, you can run it with flags that enable it to listen on all interfaces and for connections from all hosts so that you can run it on a server machine and allow anyone to hit it (this is obviously insecure).

(I'm working on an example of how you can run a reverse-proxy with auth in front of the dashboard that should make things like this easier.)

Contributor

colemickens commented Oct 3, 2016

Presumably you're using client-cert auth then if there's no password/token in kubeconfig. You can configure your browser to send the relevant client certificate, but it's usually not-straightforward in my experience.

kubectl proxy is certainly easier. There is a build of kubectl for Windows and if you want, you can run it with flags that enable it to listen on all interfaces and for connections from all hosts so that you can run it on a server machine and allow anyone to hit it (this is obviously insecure).

(I'm working on an example of how you can run a reverse-proxy with auth in front of the dashboard that should make things like this easier.)

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk Oct 4, 2016

Collaborator

(I'm working on an example of how you can run a reverse-proxy with auth in front of the dashboard that should make things like this easier.)

Can you share any details here? I'd love us to incorporate something like this to default install, so that folks can expose the UI to external world.

Collaborator

bryk commented Oct 4, 2016

(I'm working on an example of how you can run a reverse-proxy with auth in front of the dashboard that should make things like this easier.)

Can you share any details here? I'd love us to incorporate something like this to default install, so that folks can expose the UI to external world.

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Oct 4, 2016

Contributor

This is the idea: kubernetes/contrib#1492. I still haven't had time to put the oauth2_proxy configuration together. Doesn't really solve for out-of-the-box though, as oauth2_proxy will require a configmap/secret with oauth2 secrets to work the way I'm imagining.

Contributor

colemickens commented Oct 4, 2016

This is the idea: kubernetes/contrib#1492. I still haven't had time to put the oauth2_proxy configuration together. Doesn't really solve for out-of-the-box though, as oauth2_proxy will require a configmap/secret with oauth2 secrets to work the way I'm imagining.

@bryk

This comment has been minimized.

Show comment
Hide comment
@bryk

bryk Oct 4, 2016

Collaborator

All right. Share anything you make work :) We need to explore all possible solutions, because, eventually, we need to bake a solution to this into Dashboard.

Collaborator

bryk commented Oct 4, 2016

All right. Share anything you make work :) We need to explore all possible solutions, because, eventually, we need to bake a solution to this into Dashboard.

@dannyman

This comment has been minimized.

Show comment
Hide comment
@dannyman

dannyman Oct 4, 2016

Heya, so we are all actively commenting on an issue that is closed since May .. begs the question as to whether this issue is Closed? (Maybe a scope change...)

Here's where we are at, total newbs:

  1. Install Kubernetes with fancy new kubeadm tool: http://kubernetes.io/docs/getting-started-guides/kubeadm/
  2. Per above "Explore other add-ons" ... http://kubernetes.io/docs/admin/addons/
  3. "Dashboard is a dashboard web interface for Kubernetes." -- wow this sounds useful for us newbs!
  4. https://github.com/kubernetes/dashboard#kubernetes-dashboard
  5. kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml
  6. https:///ui --> Unauthorized
root@kub-test0:~# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
  1. Find this issue and:
root@kub-test0:~# wget --no-check-certificate https://localhost/ui
--2016-10-04 15:28:58--  https://localhost/ui
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: cannot verify localhost's certificate, issued by ‘CN=kubernetes’:
  Unable to locally verify the issuer's authority.
WARNING: no certificate subject alternative name matches
    requested host name ‘localhost’.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

So since this is my first time on a test cluster I can do this:
kubectl proxy --address 0.0.0.0
Nope: <h3>Unauthorized</h3>

Maybe helpful would be a pointer on how to add a username/password in the Usage section at https://github.com/kubernetes/dashboard#kubernetes-dashboard

dannyman commented Oct 4, 2016

Heya, so we are all actively commenting on an issue that is closed since May .. begs the question as to whether this issue is Closed? (Maybe a scope change...)

Here's where we are at, total newbs:

  1. Install Kubernetes with fancy new kubeadm tool: http://kubernetes.io/docs/getting-started-guides/kubeadm/
  2. Per above "Explore other add-ons" ... http://kubernetes.io/docs/admin/addons/
  3. "Dashboard is a dashboard web interface for Kubernetes." -- wow this sounds useful for us newbs!
  4. https://github.com/kubernetes/dashboard#kubernetes-dashboard
  5. kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml
  6. https:///ui --> Unauthorized
root@kub-test0:~# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
  1. Find this issue and:
root@kub-test0:~# wget --no-check-certificate https://localhost/ui
--2016-10-04 15:28:58--  https://localhost/ui
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: cannot verify localhost's certificate, issued by ‘CN=kubernetes’:
  Unable to locally verify the issuer's authority.
WARNING: no certificate subject alternative name matches
    requested host name ‘localhost’.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

So since this is my first time on a test cluster I can do this:
kubectl proxy --address 0.0.0.0
Nope: <h3>Unauthorized</h3>

Maybe helpful would be a pointer on how to add a username/password in the Usage section at https://github.com/kubernetes/dashboard#kubernetes-dashboard

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Oct 4, 2016

Contributor

What URL did you try to hit after running kubectl proxy?

Contributor

colemickens commented Oct 4, 2016

What URL did you try to hit after running kubectl proxy?

@dannyman

This comment has been minimized.

Show comment
Hide comment
@dannyman

dannyman Oct 4, 2016

From my workstation, to external IP of kubernetes cluster Master:
http://10.10.1.188:8001/ --> <h3>Unauthorized</h3>

From localhost on kubernetes cluster Master:
https://localhost/ui --> 401 Unauthorized Username/Password Authentication Failed.

dannyman commented Oct 4, 2016

From my workstation, to external IP of kubernetes cluster Master:
http://10.10.1.188:8001/ --> <h3>Unauthorized</h3>

From localhost on kubernetes cluster Master:
https://localhost/ui --> 401 Unauthorized Username/Password Authentication Failed.

@dannyman

This comment has been minimized.

Show comment
Hide comment
@dannyman

dannyman Oct 4, 2016

Workstation -> http://10.10.1.188:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=_all -> Unauthorized

Kubenetes Master wget http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=_all I get an index.html that informs me that I am using an outdated browser.

dannyman commented Oct 4, 2016

Workstation -> http://10.10.1.188:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=_all -> Unauthorized

Kubenetes Master wget http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=_all I get an index.html that informs me that I am using an outdated browser.

@bryk bryk reopened this Oct 5, 2016

@anutech2001

This comment has been minimized.

Show comment
Hide comment
@anutech2001

anutech2001 Oct 5, 2016

@dannyman I got the same problem. So, i try using NodePort and it's work. I can use dashboard right now on the browser.
My env.

  • windows 7, vagrant + centos 7, kubernetes 1.4

anutech2001 commented Oct 5, 2016

@dannyman I got the same problem. So, i try using NodePort and it's work. I can use dashboard right now on the browser.
My env.

  • windows 7, vagrant + centos 7, kubernetes 1.4
@naisanza

This comment has been minimized.

Show comment
Hide comment
@naisanza

naisanza Jan 10, 2017

@bbalzola using the NodePort works, however it is http. Is there a way to enable a self-signed certificate to use https when connecting to the dashboard?

naisanza commented Jan 10, 2017

@bbalzola using the NodePort works, however it is http. Is there a way to enable a self-signed certificate to use https when connecting to the dashboard?

@bbalzola

This comment has been minimized.

Show comment
Hide comment
@bbalzola

bbalzola Jan 11, 2017

@naisanza I think it's possible but I haven't tested yet sorry

bbalzola commented Jan 11, 2017

@naisanza I think it's possible but I haven't tested yet sorry

@vhosakot

This comment has been minimized.

Show comment
Hide comment
@vhosakot

vhosakot Mar 17, 2017

The solution #692 (comment) posted above worked for me. Thanks @waynebrantley!

I installed k8s using kubeadm in https://kubernetes.io/docs/getting-started-guides/kubeadm/. I wanted to run kubectl proxy on the master, and access the k8s API from a different host (not the master) using the IP address (not localhost) of the master.

172.18.7.245 is the IP address of my master, and after doing kubectl proxy --port=8181 --address=172.18.7.245 --accept-hosts='^*$' & on the master, I was able to successfully access the k8s API from a different host (with IP address 172.18.7.246 and that pings the master 172.18.7.245) using

curl http://172.18.7.245:8181/api/v1
curl http://172.18.7.245:8181/api/v1/services
curl http://172.18.7.245:8181/api/v1/pods
curl http://172.18.7.245:8181/api/v1/secrets

I was also able to access the k8s API from another machine that can SSH into 172.18.7.246 after setting up SSH port-forwaring ssh -L 8080:172.18.7.245:8181 172.18.7.245 on the machine and using the following commands.

curl http://localhost:8080/api/v1
curl http://localhost:8080/api/v1/services
curl http://localhost:8080/api/v1/pods
curl http://localhost:8080/api/v1/secrets

vhosakot commented Mar 17, 2017

The solution #692 (comment) posted above worked for me. Thanks @waynebrantley!

I installed k8s using kubeadm in https://kubernetes.io/docs/getting-started-guides/kubeadm/. I wanted to run kubectl proxy on the master, and access the k8s API from a different host (not the master) using the IP address (not localhost) of the master.

172.18.7.245 is the IP address of my master, and after doing kubectl proxy --port=8181 --address=172.18.7.245 --accept-hosts='^*$' & on the master, I was able to successfully access the k8s API from a different host (with IP address 172.18.7.246 and that pings the master 172.18.7.245) using

curl http://172.18.7.245:8181/api/v1
curl http://172.18.7.245:8181/api/v1/services
curl http://172.18.7.245:8181/api/v1/pods
curl http://172.18.7.245:8181/api/v1/secrets

I was also able to access the k8s API from another machine that can SSH into 172.18.7.246 after setting up SSH port-forwaring ssh -L 8080:172.18.7.245:8181 172.18.7.245 on the machine and using the following commands.

curl http://localhost:8080/api/v1
curl http://localhost:8080/api/v1/services
curl http://localhost:8080/api/v1/pods
curl http://localhost:8080/api/v1/secrets
@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Mar 27, 2017

Contributor

@Klae why do you expect it to work? You're submitting zero authentication, I wouldn't expect that to work at all unless you're running the cluster very insecurely.

Contributor

colemickens commented Mar 27, 2017

@Klae why do you expect it to work? You're submitting zero authentication, I wouldn't expect that to work at all unless you're running the cluster very insecurely.

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Mar 27, 2017

Contributor

@Klae as documented numerously in this thread:

$ kubectl proxy
# open in your browser:  http://localhost:8001/ui
Contributor

colemickens commented Mar 27, 2017

@Klae as documented numerously in this thread:

$ kubectl proxy
# open in your browser:  http://localhost:8001/ui
@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Mar 27, 2017

Contributor

The same machine you're running kubectl proxy on yes. It opens an already-authenticated proxy to the cluster.

The only way you're going to be able to use the Web UI without the proxy is if you get your browser to send a token, or use a client cert, depending on how your apiserver is setup. Using the proxy is much, much, much easier!

Contributor

colemickens commented Mar 27, 2017

The same machine you're running kubectl proxy on yes. It opens an already-authenticated proxy to the cluster.

The only way you're going to be able to use the Web UI without the proxy is if you get your browser to send a token, or use a client cert, depending on how your apiserver is setup. Using the proxy is much, much, much easier!

@traceypooh

This comment has been minimized.

Show comment
Hide comment
@traceypooh

traceypooh Apr 3, 2017

something seems weird here...
like others, I want to use (mac) laptop and (chrome) browser to hit the (great) dashboard gui.

If I port forward from mac over ssh
ssh -A [MASTER-HOSTNAME] -L 8001:127.0.0.1:8001

the browser loads gui but 403s all data.
however, I'm 100% free to "raid" secrets from cmd-line/browser:
curl http://localhost:8001/api/v1/secrets

It would seem, if we (the clients/users/admins of k8 cluster) firewall off the proxy port from outside world, but port forward over ssh, that allowing fully GUI dashboard access would be pretty reasonable, security thinking-wise?

traceypooh commented Apr 3, 2017

something seems weird here...
like others, I want to use (mac) laptop and (chrome) browser to hit the (great) dashboard gui.

If I port forward from mac over ssh
ssh -A [MASTER-HOSTNAME] -L 8001:127.0.0.1:8001

the browser loads gui but 403s all data.
however, I'm 100% free to "raid" secrets from cmd-line/browser:
curl http://localhost:8001/api/v1/secrets

It would seem, if we (the clients/users/admins of k8 cluster) firewall off the proxy port from outside world, but port forward over ssh, that allowing fully GUI dashboard access would be pretty reasonable, security thinking-wise?

@praseodym

This comment has been minimized.

Show comment
Hide comment
@praseodym

praseodym Apr 3, 2017

That only makes sense with RBAC disabled. I'm not sure why the dashboard 403s when not authenticating even though is not required.

If RBAC is enabled (which it is with e.g. kubeadm 1.6), you'll need a way to authenticate as a client, and that is what kubectl proxy does nicely. In that case an SSH tunnel doesn't really make sense.

praseodym commented Apr 3, 2017

That only makes sense with RBAC disabled. I'm not sure why the dashboard 403s when not authenticating even though is not required.

If RBAC is enabled (which it is with e.g. kubeadm 1.6), you'll need a way to authenticate as a client, and that is what kubectl proxy does nicely. In that case an SSH tunnel doesn't really make sense.

@codTango

This comment has been minimized.

Show comment
Hide comment
@codTango

codTango Apr 3, 2017

I have go through this very long thread and yet haven't found a solution for my case. In my scenario, I have a kube cluster with 3 nodes, and they're deployed on VMs that have no monitors attached, neither I want to use X11 to forward it. This is what I need:

  1. set up multi users with credentials
  2. people can use the credentials to login the dashboard remotely

But now I did this kubectl config set-credentials userA --username=userA --password=pwd, and I got Unauthorized when hitting https://{IP}/ui. Any solution? I'm not that familiar with the other ways like openssl, but tried by following the guide and still no luck.

codTango commented Apr 3, 2017

I have go through this very long thread and yet haven't found a solution for my case. In my scenario, I have a kube cluster with 3 nodes, and they're deployed on VMs that have no monitors attached, neither I want to use X11 to forward it. This is what I need:

  1. set up multi users with credentials
  2. people can use the credentials to login the dashboard remotely

But now I did this kubectl config set-credentials userA --username=userA --password=pwd, and I got Unauthorized when hitting https://{IP}/ui. Any solution? I'm not that familiar with the other ways like openssl, but tried by following the guide and still no luck.

@traceypooh

This comment has been minimized.

Show comment
Hide comment
@traceypooh

traceypooh Apr 7, 2017

thanks @praseodym for the info.
do you happen to have any pointers or places too look for more info/help on that?

i just spent 3 days in a black hole trying to sort out kubectl v1.6.1 "client" issue compared to working v1.6.0 on sun/mon, bleah! (my ops team has an over-aggressive firewall so made sorting out issues a super challenge..)

(i can get my admin.conf on my laptop and kubectl proxy with it and seems like is connecting -- but same kind of "instantly hides access to the details" (same denied stuff as with trying to port forward a proxy from the server). so i'm probably close!)

traceypooh commented Apr 7, 2017

thanks @praseodym for the info.
do you happen to have any pointers or places too look for more info/help on that?

i just spent 3 days in a black hole trying to sort out kubectl v1.6.1 "client" issue compared to working v1.6.0 on sun/mon, bleah! (my ops team has an over-aggressive firewall so made sorting out issues a super challenge..)

(i can get my admin.conf on my laptop and kubectl proxy with it and seems like is connecting -- but same kind of "instantly hides access to the details" (same denied stuff as with trying to port forward a proxy from the server). so i'm probably close!)

@dotw

This comment has been minimized.

Show comment
Hide comment
@dotw

dotw Apr 26, 2017

The solution #692 (comment) posted above worked for me. Thanks @waynebrantley!

I installed k8s using kubeadm in https://kubernetes.io/docs/getting-started-guides/kubeadm/. I wanted to run kubectl proxy on the master, and access the k8s API from a different host (not the master) using the IP address (not localhost) of the master.

172.18.7.245 is the IP address of my master, and after doing kubectl proxy --port=8181 --address=172.18.7.245 --accept-hosts='^*$' & on the master, I was able to successfully access the k8s API from a different host (with IP address 172.18.7.246 and that pings the master 172.18.7.245) using

curl http://172.18.7.245:8181/api/v1
curl http://172.18.7.245:8181/api/v1/services
curl http://172.18.7.245:8181/api/v1/pods
curl http://172.18.7.245:8181/api/v1/secrets
I was also able to access the k8s API from another machine that can SSH into 172.18.7.246 after setting up SSH port-forwaring ssh -L 8080:172.18.7.245:8181 172.18.7.245 on the machine and using the following commands.

curl http://localhost:8080/api/v1
curl http://localhost:8080/api/v1/services
curl http://localhost:8080/api/v1/pods
curl http://localhost:8080/api/v1/secrets

this works for my case

dotw commented Apr 26, 2017

The solution #692 (comment) posted above worked for me. Thanks @waynebrantley!

I installed k8s using kubeadm in https://kubernetes.io/docs/getting-started-guides/kubeadm/. I wanted to run kubectl proxy on the master, and access the k8s API from a different host (not the master) using the IP address (not localhost) of the master.

172.18.7.245 is the IP address of my master, and after doing kubectl proxy --port=8181 --address=172.18.7.245 --accept-hosts='^*$' & on the master, I was able to successfully access the k8s API from a different host (with IP address 172.18.7.246 and that pings the master 172.18.7.245) using

curl http://172.18.7.245:8181/api/v1
curl http://172.18.7.245:8181/api/v1/services
curl http://172.18.7.245:8181/api/v1/pods
curl http://172.18.7.245:8181/api/v1/secrets
I was also able to access the k8s API from another machine that can SSH into 172.18.7.246 after setting up SSH port-forwaring ssh -L 8080:172.18.7.245:8181 172.18.7.245 on the machine and using the following commands.

curl http://localhost:8080/api/v1
curl http://localhost:8080/api/v1/services
curl http://localhost:8080/api/v1/pods
curl http://localhost:8080/api/v1/secrets

this works for my case

@zhuroy

This comment has been minimized.

Show comment
Hide comment
@zhuroy

zhuroy Apr 26, 2017

Finally both below works for me cause you need to ensure master can ping pod from worker node, I found that somehow --iface not to be loaded to start the kube-flannel pod as I am using vagrant. use kubectl replace -f kube-flannel.yml --force thus to delete and recreate the source.

My issues, installed a few times and spent two days but no clue.
I want to access cluster from outside host.
1) with kubectl proxy --address PubIP --port=9090 --accept-hosts='^*$'
Almost can access any from outside browser, but not for /ui/, all others like /api/ no problem

2) with NodePort not working for me.
I did see the service and NodePort for dashboard, but PubIP:NodePort not working for me, just show ERR_EMPTY_RESPONSE after a long waiting

zhuroy commented Apr 26, 2017

Finally both below works for me cause you need to ensure master can ping pod from worker node, I found that somehow --iface not to be loaded to start the kube-flannel pod as I am using vagrant. use kubectl replace -f kube-flannel.yml --force thus to delete and recreate the source.

My issues, installed a few times and spent two days but no clue.
I want to access cluster from outside host.
1) with kubectl proxy --address PubIP --port=9090 --accept-hosts='^*$'
Almost can access any from outside browser, but not for /ui/, all others like /api/ no problem

2) with NodePort not working for me.
I did see the service and NodePort for dashboard, but PubIP:NodePort not working for me, just show ERR_EMPTY_RESPONSE after a long waiting
@adpit

This comment has been minimized.

Show comment
Hide comment
@adpit

adpit Jun 20, 2017

@zhuroy Thank you so much for the free time you gave me, I have tried it and it works:

kubectl proxy --address xxx.xx.xx.xx --port=2087 --accept-hosts='^*$'

I access with the browser http://xxx.xx.xx.xx:2087/ui automatically leads to

http://xxx.xx.xx.xx:2087/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/workload?namespace=default

adpit commented Jun 20, 2017

@zhuroy Thank you so much for the free time you gave me, I have tried it and it works:

kubectl proxy --address xxx.xx.xx.xx --port=2087 --accept-hosts='^*$'

I access with the browser http://xxx.xx.xx.xx:2087/ui automatically leads to

http://xxx.xx.xx.xx:2087/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/workload?namespace=default

@floreks

This comment has been minimized.

Show comment
Hide comment
@floreks

floreks Jun 26, 2017

Member

Closing as stale.

Member

floreks commented Jun 26, 2017

Closing as stale.

@floreks floreks closed this Jun 26, 2017

@dbreise6583

This comment has been minimized.

Show comment
Hide comment
@dbreise6583

dbreise6583 Jul 14, 2017

EASY ANSWER
You can get around this by not forwarding the host header... in Apache Virtualhost Config:
ProxyPreserveHost Off

dbreise6583 commented Jul 14, 2017

EASY ANSWER
You can get around this by not forwarding the host header... in Apache Virtualhost Config:
ProxyPreserveHost Off

@j3ffyang

This comment has been minimized.

Show comment
Hide comment
@j3ffyang

j3ffyang Sep 6, 2017

I've not tried to configure Apache (or Nginx) web server. Instead, the following works for me

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

j3ffyang commented Sep 6, 2017

I've not tried to configure Apache (or Nginx) web server. Instead, the following works for me

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

@pgnaleen

This comment has been minimized.

Show comment
Hide comment
@pgnaleen

pgnaleen Sep 13, 2017

kubectl proxy
running above command from windows worked for me. you have to give admin.conf file using --kubeconfig=="admin.conf"
kubectl kubeconfig=="admin.conf" proxy

pgnaleen commented Sep 13, 2017

kubectl proxy
running above command from windows worked for me. you have to give admin.conf file using --kubeconfig=="admin.conf"
kubectl kubeconfig=="admin.conf" proxy

@miguelcastilho

This comment has been minimized.

Show comment
Hide comment
@miguelcastilho

miguelcastilho Oct 13, 2017

The "Unauthorized" error can be fixed using the disable-filter flag:

$ kubectl proxy --disable-filter=true --address=0.0.0.0

miguelcastilho commented Oct 13, 2017

The "Unauthorized" error can be fixed using the disable-filter flag:

$ kubectl proxy --disable-filter=true --address=0.0.0.0

@naisanza

This comment has been minimized.

Show comment
Hide comment
@naisanza

naisanza Oct 16, 2017

@colemickens the documentation doesn't say to run kubectl proxy from your machine you're physically on. I kept thinking it meant to run it from master. So that would mean you would need to install all of kubernetes packages on your client machine to use Dashboard via kubectl proxy?

And that would also mean you need a copy of /etc/kubernetes/admin.conf on to your local client as well?

naisanza commented Oct 16, 2017

@colemickens the documentation doesn't say to run kubectl proxy from your machine you're physically on. I kept thinking it meant to run it from master. So that would mean you would need to install all of kubernetes packages on your client machine to use Dashboard via kubectl proxy?

And that would also mean you need a copy of /etc/kubernetes/admin.conf on to your local client as well?

@floreks

This comment has been minimized.

Show comment
Hide comment
@floreks

floreks Oct 16, 2017

Member

From docs:

kubectl proxy creates proxy server between your machine and Kubernetes API server. By default it is only accessible locally (from the machine that started it).

@naisanza it is not stated because it can be run from any machine and we do not want to suggest anything, and not to make user think that some machine is the only one he can run it from.

Only requirements are kubectl and valid kubeconfig file.

PS. Master node does not require kubectl in any way. It's user's choice to install it there.

Member

floreks commented Oct 16, 2017

From docs:

kubectl proxy creates proxy server between your machine and Kubernetes API server. By default it is only accessible locally (from the machine that started it).

@naisanza it is not stated because it can be run from any machine and we do not want to suggest anything, and not to make user think that some machine is the only one he can run it from.

Only requirements are kubectl and valid kubeconfig file.

PS. Master node does not require kubectl in any way. It's user's choice to install it there.

@colemickens

This comment has been minimized.

Show comment
Hide comment
@colemickens

colemickens Oct 16, 2017

Contributor

@naisanza The reason I mention it is:

  1. Many users in this thread seem to want to access the dashboard from machines that are not part of the cluster.

  2. If you run kubectl proxy on the master, you either have to:

    a) tunnel traffic to the master through that proxy
    b) open the proxy to accept traffic from any host and put it on a publicly accessible port

The 2b option is suggested throughout this thread but that means that anyone in the world could then start writing to your cluster. The more secure option is to run kubectl proxy from the same node you're running the browser on.

I think there are additional options now that kube-dashboard offers some alternative authentication options, but that was my reason for recommendation in this thread.

Contributor

colemickens commented Oct 16, 2017

@naisanza The reason I mention it is:

  1. Many users in this thread seem to want to access the dashboard from machines that are not part of the cluster.

  2. If you run kubectl proxy on the master, you either have to:

    a) tunnel traffic to the master through that proxy
    b) open the proxy to accept traffic from any host and put it on a publicly accessible port

The 2b option is suggested throughout this thread but that means that anyone in the world could then start writing to your cluster. The more secure option is to run kubectl proxy from the same node you're running the browser on.

I think there are additional options now that kube-dashboard offers some alternative authentication options, but that was my reason for recommendation in this thread.

@immarvin

This comment has been minimized.

Show comment
Hide comment
@immarvin

immarvin Apr 5, 2018

hi @miguelcastilho , kubectl proxy --disable-filter=true --address=0.0.0.0 works for me, thanks a lot

immarvin commented Apr 5, 2018

hi @miguelcastilho , kubectl proxy --disable-filter=true --address=0.0.0.0 works for me, thanks a lot

@k-modi

This comment has been minimized.

Show comment
Hide comment
@k-modi

k-modi Apr 24, 2018

I was able to get this working. Hence, sharing it for anyone interested.

BACKGROUND: K8s master on ubuntu VM. Couldn't access dashboard from my local machine (Windows 10).

Solution:
Taking pointers from @seeekr and @groyee, I installed kubectl on my machine and configured it to map to the cluster using https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/.

Note: I had to WinSCP and copy over the cert files from ~/kube/certs/ on the ubuntu VM.

Thereafter,

  1. Added a new cluster to $HOME/.kube/config using:
    kubectl config set-cluster <custom-cluster-name> --server=<https://{ip-of-ubuntu-master}> --certificate-authority=<path/to/apiserver.pem>
  2. Added a new user with:
    kubectl config set-credentials <custom-user-name> --client-certificate=<path/to/ca.pem> --client-key=<path/to/ca-key.pem>
  3. Added a context to map the cluster and user together using:
    kubectl config set-context <custom-context-name> --cluster=<custom-cluster-name-from-above> --user=<custom-user-name-from-above>
  4. Change/set the current kubectl context to the newly created one:
    kubectl config use-context <custom-context-name>
  5. Start proxy
    kubectl proxy
  6. Browse to
    http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy

Enjoy!!!

k-modi commented Apr 24, 2018

I was able to get this working. Hence, sharing it for anyone interested.

BACKGROUND: K8s master on ubuntu VM. Couldn't access dashboard from my local machine (Windows 10).

Solution:
Taking pointers from @seeekr and @groyee, I installed kubectl on my machine and configured it to map to the cluster using https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/.

Note: I had to WinSCP and copy over the cert files from ~/kube/certs/ on the ubuntu VM.

Thereafter,

  1. Added a new cluster to $HOME/.kube/config using:
    kubectl config set-cluster <custom-cluster-name> --server=<https://{ip-of-ubuntu-master}> --certificate-authority=<path/to/apiserver.pem>
  2. Added a new user with:
    kubectl config set-credentials <custom-user-name> --client-certificate=<path/to/ca.pem> --client-key=<path/to/ca-key.pem>
  3. Added a context to map the cluster and user together using:
    kubectl config set-context <custom-context-name> --cluster=<custom-cluster-name-from-above> --user=<custom-user-name-from-above>
  4. Change/set the current kubectl context to the newly created one:
    kubectl config use-context <custom-context-name>
  5. Start proxy
    kubectl proxy
  6. Browse to
    http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy

Enjoy!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment