Dashboard: Scrambled Credentials - Accessing dashboard with chrome, on windows

Created on 8 Apr 2018 · 15Comments · Source: kubernetes/dashboard

Environment

Dashboard version: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
Kubernetes version: v1.10.0
Host: Windows10 1709  VirtualBox 5.2.8

Operating system: CentOS-7.2  Linux version 3.10.0-693.21.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) )

Steps to reproduce

Master Node IP: 192.168.56.3
Deploying Dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

Can accessing dashboard with kubectl proxy

kubectl proxy

curl http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

<!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title ng-controller="kdTitle as $ctrl" ng-bind="$ctrl.title()"></title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.93db0a0d.css"> <link rel="stylesheet" href="static/app.93e259f7.css"> </head> <body ng-controller="kdMain as $ctrl"> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-login layout="column" layout-fill="" ng-if="$ctrl.isLoginState()"> </kd-login> <kd-chrome layout="column" layout-fill="" ng-if="!$ctrl.isLoginState()"> </kd-chrome> <script src="static/vendor.bd425c26.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.b5ad51ac.js"></script> </body> </html>

It's seems work correct.

Edit kubernetes-dashboard service, Change type: ClusterIP to type: NodePort

NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.100.105.239   <none>        443:30778/TCP   1h

Accessing dashboard on Master Node

curl https://192.168.56.3:30778 -k

<!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title ng-controller="kdTitle as $ctrl" ng-bind="$ctrl.title()"></title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.93db0a0d.css"> <link rel="stylesheet" href="static/app.93e259f7.css"> </head> <body ng-controller="kdMain as $ctrl"> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-login layout="column" layout-fill ng-if="$ctrl.isLoginState()"> </kd-login> <kd-chrome layout="column" layout-fill ng-if="!$ctrl.isLoginState()"> </kd-chrome> <script src="static/vendor.bd425c26.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.b5ad51ac.js"></script> </body> </html>

It's seems work correct.

Accessing dashboard on Host

ping 192.168.56.3

Pinging 192.168.56.3 with 32 bytes of data:
Reply from 192.168.56.3: bytes=32 time<1ms TTL=64
Reply from 192.168.56.3: bytes=32 time<1ms TTL=64
Reply from 192.168.56.3: bytes=32 time<1ms TTL=64
Reply from 192.168.56.3: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.56.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

View https://192.168.56.3:30778/ with chrome:

You cannot visit 192.168.56.3 right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

Use curl:

 <!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title ng-controller="kdTitle as $ctrl" ng-bind="$ctrl.title()"></title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.93db0a0d.css"> <link rel="stylesheet" href="static/app.93e259f7.css"> </head> <body ng-controller="kdMain as $ctrl"> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-login layout="column" layout-fill ng-if="$ctrl.isLoginState()"> </kd-login> <kd-chrome layout="column" layout-fill ng-if="!$ctrl.isLoginState()"> </kd-chrome> <script src="static/vendor.bd425c26.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.b5ad51ac.js"></script> </body> </html>

It's seems work correct too.

Accessing dashboard on another virtual host (Centos desktop)

Observed result

Windows Chrome cannot accessing dashboard because of scrambled credentials

Comments

It's there something wrong with my operating?
It's seem OS related ? I try the same on my MBP and it works correct.

Source

oustn

Most helpful comment

@floreks I know that the browser will prompt Not secure with self-signed certificates. The question is the scrambled credentials .

You cannot visit 192.168.56.3 right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

On Linux and macOS the browser prompt Not secure, but can visit if ignore the error. Maybe is the self-signed certificates issue.

Thanks.

oustn on 10 Apr 2018

👍23

All 15 comments

facing exactly same issue on centos k8s clsuter. dashboard is running on centos.
[root@ek-node1 ~]# curl -k https://10.96.101.87:443

+1 same issue

olesiapoz on 6 Feb 2019

👍2

iftachsc on 17 Feb 2019

ancastroila-gekkofox on 6 Jun 2019

i opted for FF on Windows

tipkopf on 22 Jun 2019

How come the top google search result for practically every common Kubernetes issue never has the answer I am looking for. I suppose even if it did have an answer it would be wholesomely out of date days later.

This issue has someone who provides an answer which maybe works for v1 and doesn't seem to work for v2...
https://github.com/kubernetes/dashboard/issues/3804

halsafar on 7 Nov 2019

the same issue as #3804
provide your own certificates as described by @tony-liuliu if self-signed ones are not allowed by your browser configuration.

Generate self-signed certificates
[root@es-master-1 ~]# mkdir certs
[root@es-master-1 ~]# openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
[root@es-master-1 ~]# openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

Generate the kubernetes-dashboard-certs certificate file
[root@es-master-1 ~]# kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system

Make sure the kubernetes- dashboards -certs secret has been imported correctly
[root@es-master-1 ~]# kubectl -n kube-system describe secret/kubernetes-dashboard-certs

Try dashboard again

（by the way，adding "--test-type --ignore-certificate-errors" to chrome's quick start command may also work. This depends on your chrome version.）

zehuaiWANG on 8 Nov 2019

👍1

@Gunni I don't see how that'd show a "scrambled credentials" error...

mike-bailey on 10 Jan 2020

Typing

chrome://flags/#allow-insecure-localhost

into the URL bar of a Chrome browser and selecting "Enabled" solved this problem for me.

It seems like it is the Chrome error message that is confused - Chrome is by default just not allowing HTTPS requests over localhost for self-signed certificates.

bsolomon1124 on 20 Jan 2020

👍4

Per the latest dashboard installation docs [here] :(https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md)

To access Dashboard directly (without kubectl proxy) valid certificates should be used to establish a secure HTTPS connection. They can be generated using public trusted Certificate Authorities like Let's Encrypt, optionally Cert-Manager can auto-issue and auto-renew them. Use them to replace the auto-generated certificates from Dashboard.

By default self-signed certificates are generated and stored in-memory. In case you would like to use your custom certificates follow the below steps, otherwise skip directly to the Dashboard deploy part.

Custom certificates have to be stored in a secret named kubernetes-dashboard-certs in the same namespace as Kubernetes Dashboard. Assuming that you have tls.crt and tls.key files stored under $HOME/certs directory, you should create secret with contents of these files:

kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kubernetes-dashboard

Alternative setup : Certificates are not used and Dashboard is exposed only over HTTP. In this setup access control can be ensured only by using Authorization Header feature.

To deploy Dashboard execute following command:

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/alternative.yaml

As many others mentioned here, I just created a self signed cert/key and imported the cert as a secret to kubernetes-dashboard-certs, which fixed the issue with Chrome !

anrajme on 16 Feb 2020

A quick way to bypass this message — open Advanced and see if you have a “proceed to website” option.

If not, you can try typing “badidea” or “thisisunsafe” directly in chrome on the same page. Don’t do this unless the site is one you trust or develop. The text “badidea” and “thisisunsafe” says a lot!

Quoted from this article: https://medium.com/@dblazeski/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12