New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dashboard https Unauthorized #31665

Closed
chowyu08 opened this Issue Aug 30, 2016 · 3 comments

Comments

Projects
None yet
6 participants
@chowyu08

chowyu08 commented Aug 30, 2016

Dashboard version: 1.1
Kubernetes version: 1.3.6
Operating system: ubuntu14.04
Go version:1.6.2
Ideploy kubernetes and dashboard as http://kubernetes.io/docs/getting-started-guides/ubuntu/

I can access the dashboard http://master-ip:8080/
bur when I access https://master-ip:6443/ ,return "Unauthorized"
why?

@workhardcc

This comment has been minimized.

workhardcc commented Sep 2, 2016

I have the same issue. And I think author maybe haven't consider it yet.
kubernetes/dashboard#1116

@floreks

This comment has been minimized.

Member

floreks commented Sep 15, 2016

I'm guessing that your clusters are using certificates for secure communication over HTTPS. There are 2 issues here.

  1. Browser doesn't recognize root CA so it can't trust that connection is safe. We can bypass that and still use it. This part is not a blocker. :)
    zrzut ekranu z 2016-09-15 15-50-35
  2. API Server needs client certificate/token/user and pass (depends on configuration) to authorize client otherwise it will return Unauthorized.

It's easy to authorize with curl because you can easily provide required data.
curl https://<MASTER_IP>/version --cacert ca.crt --cert admin.crt --key admin.key
curl https://<MASTER_IP>/version --header "Authorization: Bearer $TOKEN" `

With browser it's more complicated than that. There are several ways to access dashboard:

  1. You can expose it through service using NodePort and access it with <MASTER_IP>:<NODE_PORT>. (Not Safe)
  2. Import certificates into your browser.
  3. Use kubectl proxy and go to http://127.0.0.1:8001/ (bind address can be changed). It will handle SSL tunneling if your kubeconfig file is configured to use secure connection.

Regarding second option. I can provide some information how to do that using firefox.

  1. Import generated CA certificate into the browser.
    zrzut ekranu z 2016-09-15 16-05-47
  2. Import user certificate to Your Certificates. If you have 2 separate certificates crt and key it's best to merge them into PFX/PKCS#12 certificate because it's easy to import it directly into the browser certificate store. You can use this page or do it manually using openssl.
    zrzut ekranu z 2016-09-15 16-09-44

If certificates are generated correctly then popup will be displayed on next attempt to access api server over HTTPS. You may need to clear browser cache.
zrzut ekranu z 2016-09-15 16-12-04

You should see the dashboard now. :)
zrzut ekranu z 2016-09-15 16-14-16

I don't know how to use bearer token in browser. Possibly it requires some manual work to add data to HTTP header before sending request to api server.

There are of course other options to authorize user. Kubernetes supports ABAC, RBAC and much more.

@liggitt

This comment has been minimized.

Member

liggitt commented Feb 14, 2017

The browser is required to authenticate when accessing the secured API server port. As #31665 (comment) demonstrates, that can be done with certificate-based authentication.

For token-based authentication, browsers do not give you a way to send bearer tokens automatically with your requests.

The dashboard describes how you can use kubectl proxy which adds in your authentication credentials, and lets you access the dashboard locally through the proxy - https://github.com/kubernetes/dashboard#usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment