Kubernetes: dashboard https Unauthorized

Created on 30 Aug 2016  ·  3Comments  ·  Source: kubernetes/kubernetes

Dashboard version: 1.1
Kubernetes version: 1.3.6
Operating system: ubuntu14.04
Go version:1.6.2
Ideploy kubernetes and dashboard as http://kubernetes.io/docs/getting-started-guides/ubuntu/

I can access the dashboard http://master-ip:8080/
bur when I access https://master-ip:6443/ ,return "Unauthorized"
why?

areapiserver
Source
picture chowyu08

Most helpful comment

I'm guessing that your clusters are using certificates for secure communication over HTTPS. There are 2 issues here.

  1. Browser doesn't recognize root CA so it can't trust that connection is safe. We can bypass that and still use it. This part is not a blocker. :)
    zrzut ekranu z 2016-09-15 15-50-35
  2. API Server needs client certificate/token/user and pass (depends on configuration) to authorize client otherwise it will return Unauthorized.

It's easy to authorize with curl because you can easily provide required data.
curl https://<MASTER_IP>/version --cacert ca.crt --cert admin.crt --key admin.key
curl https://<MASTER_IP>/version --header "Authorization: Bearer $TOKEN" `

With browser it's more complicated than that. There are several ways to access dashboard:

  1. You can expose it through service using NodePort and access it with <MASTER_IP>:<NODE_PORT>. (Not Safe)
  2. Import certificates into your browser.
  3. Use kubectl proxy and go to http://127.0.0.1:8001/ (bind address can be changed). It will handle SSL tunneling if your kubeconfig file is configured to use secure connection.

Regarding second option. I can provide some information how to do that using firefox.

  1. Import generated CA certificate into the browser.
    zrzut ekranu z 2016-09-15 16-05-47
  2. Import user certificate to Your Certificates. If you have 2 separate certificates crt and key it's best to merge them into PFX/PKCS#12 certificate because it's easy to import it directly into the browser certificate store. You can use this page or do it manually using openssl.
    zrzut ekranu z 2016-09-15 16-09-44

If certificates are generated correctly then popup will be displayed on next attempt to access api server over HTTPS. You may need to clear browser cache.
zrzut ekranu z 2016-09-15 16-12-04

You should see the dashboard now. :)
zrzut ekranu z 2016-09-15 16-14-16

I don't know how to use bearer token in browser. Possibly it requires some manual work to add data to HTTP header before sending request to api server.

There are of course other options to authorize user. Kubernetes supports ABAC, RBAC and much more.

picture floreks on 15 Sep 2016
7 👍6

All 3 comments

I have the same issue. And I think author maybe haven't consider it yet.
https://github.com/kubernetes/dashboard/issues/1116

workhardcc picture workhardcc on 2 Sep 2016

I'm guessing that your clusters are using certificates for secure communication over HTTPS. There are 2 issues here.

  1. Browser doesn't recognize root CA so it can't trust that connection is safe. We can bypass that and still use it. This part is not a blocker. :)
    zrzut ekranu z 2016-09-15 15-50-35
  2. API Server needs client certificate/token/user and pass (depends on configuration) to authorize client otherwise it will return Unauthorized.

It's easy to authorize with curl because you can easily provide required data.
curl https://<MASTER_IP>/version --cacert ca.crt --cert admin.crt --key admin.key
curl https://<MASTER_IP>/version --header "Authorization: Bearer $TOKEN" `

With browser it's more complicated than that. There are several ways to access dashboard:

  1. You can expose it through service using NodePort and access it with <MASTER_IP>:<NODE_PORT>. (Not Safe)
  2. Import certificates into your browser.
  3. Use kubectl proxy and go to http://127.0.0.1:8001/ (bind address can be changed). It will handle SSL tunneling if your kubeconfig file is configured to use secure connection.

Regarding second option. I can provide some information how to do that using firefox.

  1. Import generated CA certificate into the browser.
    zrzut ekranu z 2016-09-15 16-05-47
  2. Import user certificate to Your Certificates. If you have 2 separate certificates crt and key it's best to merge them into PFX/PKCS#12 certificate because it's easy to import it directly into the browser certificate store. You can use this page or do it manually using openssl.
    zrzut ekranu z 2016-09-15 16-09-44

If certificates are generated correctly then popup will be displayed on next attempt to access api server over HTTPS. You may need to clear browser cache.
zrzut ekranu z 2016-09-15 16-12-04

You should see the dashboard now. :)
zrzut ekranu z 2016-09-15 16-14-16

I don't know how to use bearer token in browser. Possibly it requires some manual work to add data to HTTP header before sending request to api server.

There are of course other options to authorize user. Kubernetes supports ABAC, RBAC and much more.

floreks picture floreks on 15 Sep 2016
7 👍6

The browser is required to authenticate when accessing the secured API server port. As https://github.com/kubernetes/kubernetes/issues/31665#issuecomment-247342834 demonstrates, that can be done with certificate-based authentication.

For token-based authentication, browsers do not give you a way to send bearer tokens automatically with your requests.

The dashboard describes how you can use kubectl proxy which adds in your authentication credentials, and lets you access the dashboard locally through the proxy - https://github.com/kubernetes/dashboard#usage

liggitt picture liggitt on 14 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pwittrock picture pwittrock  ·  3Comments
errordeveloper picture errordeveloper  ·  3Comments
broady picture broady  ·  3Comments
sjenning picture sjenning  ·  3Comments
ttripp picture ttripp  ·  3Comments