Dashboard: Permission errors with dashboard v2.0.0-beta3
Environment
Installation method: Minikube v1.3.0
Kubernetes version: 1.15
Dashboard version: v2.0.0-beta3
Steps to reproduce
Deployed latest Dashboard v2.0.0-beta3 with alternate (no https) manifest as:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta3/aio/deploy/alternative.yaml
Also created an Ingress with the manifest:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: dashboard.192.168.99.100.nip.io
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
The pods are running but Dashboard logs multiple permission errors while getting API resources. Also no resources are shown in the UI, only the errors on the notifications window.
Observed result
Dashboard errors:
2019/08/08 21:54:35 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:54:35 [2019-08-08T21:54:35Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:38 [2019-08-08T21:54:38Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:54:38 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:54:38 [2019-08-08T21:54:38Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:40 [2019-08-08T21:54:40Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:54:40 Getting list of namespaces
2019/08/08 21:54:40 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:54:40 [2019-08-08T21:54:40Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:43 [2019-08-08T21:54:43Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:54:43 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:54:43 [2019-08-08T21:54:43Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:45 [2019-08-08T21:54:45Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:54:45 Getting list of namespaces
2019/08/08 21:54:45 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:54:45 [2019-08-08T21:54:45Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:48 [2019-08-08T21:54:48Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:54:48 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:54:48 [2019-08-08T21:54:48Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:50 [2019-08-08T21:54:50Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:54:50 Getting list of namespaces
2019/08/08 21:54:50 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:54:50 [2019-08-08T21:54:50Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:53 [2019-08-08T21:54:53Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:54:53 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:54:53 [2019-08-08T21:54:53Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:55 [2019-08-08T21:54:55Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:54:55 Getting list of namespaces
2019/08/08 21:54:55 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:54:55 [2019-08-08T21:54:55Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:54:58 [2019-08-08T21:54:58Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:54:58 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:54:58 [2019-08-08T21:54:58Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:00 [2019-08-08T21:55:00Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:00 Getting list of namespaces
2019/08/08 21:55:00 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:00 [2019-08-08T21:55:00Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:03 [2019-08-08T21:55:03Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:03 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:03 [2019-08-08T21:55:03Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:05 [2019-08-08T21:55:05Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:05 Getting list of namespaces
2019/08/08 21:55:05 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:05 [2019-08-08T21:55:05Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:08 [2019-08-08T21:55:08Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:08 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:08 [2019-08-08T21:55:08Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:10 [2019-08-08T21:55:10Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:10 Getting list of namespaces
2019/08/08 21:55:10 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:10 [2019-08-08T21:55:10Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:13 [2019-08-08T21:55:13Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:13 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:13 [2019-08-08T21:55:13Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:15 [2019-08-08T21:55:15Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:15 Getting list of namespaces
2019/08/08 21:55:15 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:15 [2019-08-08T21:55:15Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:18 [2019-08-08T21:55:18Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:18 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:18 [2019-08-08T21:55:18Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:20 [2019-08-08T21:55:20Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:20 Getting list of namespaces
2019/08/08 21:55:20 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:20 [2019-08-08T21:55:20Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:23 [2019-08-08T21:55:23Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:23 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:23 [2019-08-08T21:55:23Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:25 [2019-08-08T21:55:25Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:25 Getting list of namespaces
2019/08/08 21:55:25 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:25 [2019-08-08T21:55:25Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:28 [2019-08-08T21:55:28Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:28 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:28 [2019-08-08T21:55:28Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:30 [2019-08-08T21:55:30Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:30 Getting list of namespaces
2019/08/08 21:55:30 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:30 [2019-08-08T21:55:30Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:33 [2019-08-08T21:55:33Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:33 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:33 [2019-08-08T21:55:33Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:35 [2019-08-08T21:55:35Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:35 Getting list of namespaces
2019/08/08 21:55:35 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:35 [2019-08-08T21:55:35Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:38 [2019-08-08T21:55:38Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:38 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:38 [2019-08-08T21:55:38Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:40 [2019-08-08T21:55:40Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:40 Getting list of namespaces
2019/08/08 21:55:40 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:40 [2019-08-08T21:55:40Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:43 [2019-08-08T21:55:43Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:43 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:43 [2019-08-08T21:55:43Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:45 [2019-08-08T21:55:45Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:45 Getting list of namespaces
2019/08/08 21:55:45 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:45 [2019-08-08T21:55:45Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:48 [2019-08-08T21:55:48Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:48 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:48 [2019-08-08T21:55:48Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:50 [2019-08-08T21:55:50Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:50 Getting list of namespaces
2019/08/08 21:55:50 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:50 [2019-08-08T21:55:50Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:53 [2019-08-08T21:55:53Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:53 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:53 [2019-08-08T21:55:53Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:55 [2019-08-08T21:55:55Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:55:55 Getting list of namespaces
2019/08/08 21:55:55 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:55:55 [2019-08-08T21:55:55Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:55:58 [2019-08-08T21:55:58Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:55:58 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:55:58 [2019-08-08T21:55:58Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:00 [2019-08-08T21:56:00Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:56:00 Getting list of namespaces
2019/08/08 21:56:00 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:56:00 [2019-08-08T21:56:00Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:03 [2019-08-08T21:56:03Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:56:03 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:56:03 [2019-08-08T21:56:03Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:05 [2019-08-08T21:56:05Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:56:05 Getting list of namespaces
2019/08/08 21:56:05 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:56:05 [2019-08-08T21:56:05Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:08 [2019-08-08T21:56:08Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:56:08 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:56:08 [2019-08-08T21:56:08Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:10 [2019-08-08T21:56:10Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:56:10 Getting list of namespaces
2019/08/08 21:56:10 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
2019/08/08 21:56:10 [2019-08-08T21:56:10Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:13 [2019-08-08T21:56:13Z] Incoming HTTP/1.1 GET /api/v1/node?itemsPerPage=10&page=1&sortBy=d,creationTimestamp request from 10.1.0.31:52030:
2019/08/08 21:56:13 Non-critical error occurred during resource retrieval: nodes is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "nodes" in API group "" at the cluster scope
2019/08/08 21:56:13 [2019-08-08T21:56:13Z] Outcoming response to 10.1.0.31:52030 with 200 status code
2019/08/08 21:56:15 [2019-08-08T21:56:15Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.1.0.31:52030:
2019/08/08 21:56:15 Getting list of namespaces
2019/08/08 21:56:15 Non-critical error occurred during resource retrieval: namespaces is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "namespaces" in API group "" at the cluster scope
Expected result
Cluster resources to be shown.
kinbug
carlosedp
👍5
All 12 comments
This is not a bug. Works as intended. Alternative setup is for advanced users. Dashboard by default has very limited privileges. You have to either grant it more privileges or set a reverse auth proxy to handle the authentication.
/close
floreks
on 9 Aug 2019
👎11
😕2
@floreks: Closing this issue.
In response to this:
This is not a bug. Works as intended. Alternative setup is for advanced users. Dashboard by default has very limited privileges. You have to wither grant it more privileges or set a reverse auth proxy to handle the authentication.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 9 Aug 2019
@floreks I understand a little about Kubernetes since I wrote a couple articles and contributed to K8s projects as well so I can consider myself an "advanced user".
The only difference between the recommended and the alternative manifests is the use of HTTPS and the certificate generation, nothing related to the cluster authentication like shown below:
❯ diff recommended.yaml alternative.yaml ─╯
41,42c41,42
< - port: 443
< targetPort: 8443
---
> - port: 80
> targetPort: 9090
172c172
< apiVersion: apps/v1
---
> apiVersion: apps/v1beta2
192d191
< imagePullPolicy: Always
194c193
< - containerPort: 8443
---
> - containerPort: 9090
197d195
< - --auto-generate-certificates
199,202c197,200
< # Uncomment the following line to manually specify Kubernetes API server Host
< # If not specified, Dashboard will attempt to auto discover the API server and connect
< # to it. Uncomment only if the default does not work.
< # - --apiserver-host=http://my-address:port
---
> # Uncomment the following line to manually specify Kubernetes API server Host
> # If not specified, Dashboard will attempt to auto discover the API server and connect
> # to it. Uncomment only if the default does not work.
> # - --apiserver-host=http://my-address:port
204,206c202
< - name: kubernetes-dashboard-certs
< mountPath: /certs
< # Create on-disk volume to store exec logs
---
> # Create on-disk volume to store exec logs
211d206
< scheme: HTTPS
213c208
< port: 8443
---
> port: 9090
217,219d211
< - name: kubernetes-dashboard-certs
< secret:
< secretName: kubernetes-dashboard-certs
Second that I'm not talking about user authentication but cluster authentication and this "limited set of privileges" doesn't allow the Dashboard to perform any operation getting elements on the cluster.
This is the reason I opened the issue, to report that the manifests as they are now doesn't work as expected by an user wiling to install it.
carlosedp
on 9 Aug 2019
👍6
Of course, after replacing the RBAC permissions with a ServiceAccount and a ClusterRoleBinding with cluster-admin role, the dashboard worked.
Disclaimer: This should not be used in a production cluster as the dashboard would have full administrative permissions to the cluster opening a big security issue.
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
👍8
As described in the docs: https://github.com/kubernetes/dashboard/wiki/Installation#alternative-setup
Access control for alternative setup can be only assured using auth header feature. It is intended that Dashboard itself by default has very limited access to the cluster and user has to use third-party solutions to inject this header into every request to Dashboard. That's why alternative setup is only recommended for people using reverse auth proxy.
floreks
on 9 Aug 2019
😕2
This is still a problem as the dashboard is practically unusable out of the box without clear instructions on how to do anything in a manner that isn't outright labelled as 'not recommended'.
Documentation at https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md does not cover v2.
The link https://github.com/kubernetes/dashboard/wiki/Installation#alternative-setup is 404.
edemen
on 4 Apr 2020
👍10
One could set Keycloak for example to protect access to the dashboard similar to what I described on this: https://medium.com/@carlosedp/adding-authentication-to-your-kubernetes-front-end-applications-with-keycloak-6571097be090
carlosedp
on 4 Apr 2020
@carlosedp Yes, I agree external auth is certainly good idea.
However, we still then have to give Dashboard sufficient permissions to be able to work.
It would not be prudent to give it cluster-admin even if it is protected by authentication because the user may just break something accidentally.
I am just wondering why there isn't a recommended configuration that would include a ClusterRole with sufficient get, list and watch permissions just so that after installation Dashboard is working. Perhaps, it might not be the perfect configuration for everyone, but to me it seems much better than giving the user two options by default: 1) it works as admin and isn't recommended or 2) it does not work at all.
For example here is a possible extension to the basics provided by alternative.yaml and inspired by the read only clusterrole idea:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
# Other resources
- apiGroups: [""]
resources: ["nodes", "namespaces", "pods", "serviceaccounts", "services", "configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "persistentvolumeclaims", "persistentvolumes", "bindings", "events", "limitranges", "namespaces/status", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["daemonsets", "deployments", "deployments/scale", "networkpolicies", "replicasets", "replicasets/scale", "replicationcontrollers/scale"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "networkpolicies"]
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "clusterroles", "roles", "rolebindings", ]
verbs: ["get", "list", "watch"]
I think it might be good enough for many users, provided they use authentication to access the dashboard.
Depending on who the user is, it is tempting to include exec on pods and perhaps allow scaling. I'd argue that by providing such a config it would make it much easier for beginners to extend it for more granular permissions that best suit their needs.
edemen
on 7 Apr 2020
❤18
👍2
The thing is that Dashboard itself should never have more permissions than the default ones. User that uses it should be granted certain permissions. That's why you should use token/auth header to pass auth information that can be used to act as an user. Preparing Role is not that hard and user should do that.
floreks
on 7 Apr 2020
My concern here is that the dashboard doesn't reflect the permissions the user has. For example, i can still open the "services" route, even if i dont have access to see any services; this then makes it look like the dashboard is not working. Especially when _by default_ the user has no permission to really do anything.
coman3
on 9 Apr 2020
By default, there is no user because you have to log in as an user to get access. Using Skip button is not "acting as an user". You can open any top-level routes and you will get notification about missing privileges. This is done by design. We have decided not to block/hide the UI, but rather show notifications and display empty lists. It still reflects user permissions.
floreks
on 9 Apr 2020
To just add to @edemen 's manifest, the following adds support for extensions.ingresses as well as secrets, for the verbs get, list and watch
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
- serviceaccounts
- services
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- persistentvolumeclaims
- persistentvolumes
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
- daemonsets
- deployments
- deployments/scale
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
tasdikrahman
on 18 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings
Related issues
minminmsn
·
4Comments
lukmanulhakimd
·
4Comments
kasunsjc
·
3Comments
dzoeteman
·
4Comments
puja108
·
5Comments
Most helpful comment
@carlosedp Yes, I agree external auth is certainly good idea.
However, we still then have to give Dashboard sufficient permissions to be able to work.
It would not be prudent to give it cluster-admin even if it is protected by authentication because the user may just break something accidentally.
I am just wondering why there isn't a recommended configuration that would include a ClusterRole with sufficient get, list and watch permissions just so that after installation Dashboard is working. Perhaps, it might not be the perfect configuration for everyone, but to me it seems much better than giving the user two options by default: 1) it works as admin and isn't recommended or 2) it does not work at all.
For example here is a possible extension to the basics provided by alternative.yaml and inspired by the read only clusterrole idea:
I think it might be good enough for many users, provided they use authentication to access the dashboard.
Depending on who the user is, it is tempting to include exec on pods and perhaps allow scaling. I'd argue that by providing such a config it would make it much easier for beginners to extend it for more granular permissions that best suit their needs.