Dashboard: After login success, not redirect to the manage page
Environment
Installation method: kubeadm
Kubernetes version: 1.16.2
Dashboard version: v1.10.1
Operating system: ubuntu16.04
Steps to reproduce
dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
#image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
image: registry.cn-hangzhou.aliyuncs.com/kuberneters/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
Observed result
Get token with command
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
result is
Name: admin-user-token-2zmjn
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: a08683ae-c2d0-47dd-a7d8-a35569a774f6
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImFFNmg3cFVnVXNITk1mT0ljbi10b3NPcWlKUnVuUjBmbXRKZTFtbWxNQlkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTJ6bWpuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhMDg2ODNhZS1jMmQwLTQ3ZGQtYTdkOC1hMzU1NjlhNzc0ZjYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.G3B_FkOiFSHjU2NKM_UgGmkAqx_uBRiKGbSAY-85q5G6yfoYiCCfWD-1HEGxcyUkJK3Xt8yPMGxHXyiCR81RG35RBsSuKj5P8IRBDSc_49LtvZWtI9JGm0vB-RQ1GBeJah6AUrr-zRRUTAEN4D-V66FU4NulzRY2qJ4nu_O8TnfnBaMSFumfHrpbsZYWAnTM-9qzCSrpvAT6dphfZ5Q_qleDt_U8ZzVbJ2SvnJRX5Xp1ynUVqO2GvbQ-0RW9rj4hTnm4b0cFc586VJm9Y0U7cUhyWwAchZV244CDkFJ28kn3ARoD6Eb9FpDmFiVo_sVbmSak4rvyaAYlqqsTZwdX6A
I use this token to login dashbord on page http://192.168.4.172:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
I can see 3 request
http://192.168.4.172:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/csrftoken/login with http get method
response is {
"token": "Fo03jFkHU_iiH6TQkhQJqg3pV4c:1573659003483"
}
http://192.168.4.172:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/login with http post method
response is
{
"jweToken": "{\"protected\":\"eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0\",\"aad\":\"eyJleHAiOiIyMDE5LTExLTEzVDE1OjQ1OjAzWiIsImlhdCI6IjIwMTktMTEtMTNUMTU6MzA6MDNaIn0\",\"encrypted_key\":\"i9tEG5LWueutGUNseOrozYSWV9koX7Y6L_G9zSD-ENdER-4EQHPxI6kqB7dqE55Aqa2lgbEL4MMWHbSK0RestIlJ0JwiCGNBkTpDFpvtzzNWget_xenet_ltELjonwCCq0f7zHDunITo8Cp4dgSCS2Jvy3VlP5nVgk8TisJ6MTHZELRsb4T_C6-6F9sdn_0PgjSjaFoVNvdWYQKgGhEAyHKGUpa-IPnt-x6Z8CnEyLG2oGE8byOHfxHlZaAun5i6CRT6pxMKciY9KajY3LKPTOf5eFb9dWPoSFf003OEyHBS-Zqw_RNgMMFh4bn00Be6QtPguKugmldcXu-5mPiswQ\",\"iv\":\"sEl7W0PJc4tb9IQr\",\"ciphertext\":\"MQROW5vbK3CO4JkRbJxIabEmD4uAfwh7dZE4TJ2ZxTlgV03Lle65sjt-vPoudluKzsiNZHSTOkInUf9GEmvXnmUyuL_9_SrAAXPeezgHksCizdqwbcYuDXAGGmIIilM02HK_U39nenNR7WI4YB1LWZ6nAGl2kP_3UdvXY84OOoHMv4lkCcktKayWbGy7WaLy0hLstCcIu4uUwhZUitcs12yeYT_V1PdPT5LS2KSMUkAmmBtTv5WPx1VpzGXCU-yViRy5Rk1v1PD6Xm0bSOP-SJntqHwQEOkfJjQQn_n3qO9yvlttp2KU-5d8xDKSSPhlCc2Rwy2-ij6IWGvmHnpmNSfQEcArVBHJtsvLPT5sWIQgV9-y5GYcumyA8fbjXZs5MsKcoiMc9c69Wz3DWXzeR04karYr2m4IeMCrY58YYmA44hfndZNOTKfSKscBKUjW2HfM7_lMxJz-Mhrs0igjPYamw3xR8k4G-wo1iNwDUqKMqa16PmtB0wTjXo48fqkhO6aQ6io02AWY3niNMRx4XwKamisZ_PYDLhzH_wg5m9v1jgix5RcFzZbtiA5XABLuIUxGG-el7v1toqjnZDPiiPuspFb5HnuLvK91B0PkPUKMmWIbC64cDti_5UIyhsq1rTxhgvYJ3bpZqIJMHG98tZH8-LaOY1vgEg01qPjUU5nkUsE26q9OKvY68FmLDj4RM4IM7q3YKlIri8o7s9dyrbrOURqK5w3ZEesLivFm3rwzLuH9klBrlfLRTGTXS86i7ol1rq6FXLnNV3s21J0zo8ywnGR_6YjK_hXxO-647IyBSor0u7-VG-1nOqxVjWvlHtl3wIz9qhM0pqm3wC3DKQgEETFYdiwrIJKRO7KesOM9gkFs1b1NJH_dPFzaO9dAHyPldCeDMYmyrx1tGzkEPka_iIjVzOO4IUaQuF9g_wKVL2IY8NCx0ZSAX6uy_shZr9gMXjSNMtey434EEdkVJY2XjoEvp8ImtO18QQ-HXs2BL79KbbWMROJczhW1L8IfMoRcxg1CYEr7YnF1PZufH97txOJmo-S6d9jX4IPb-jKdxLEdZ-khDIdZ_ObDGBbh_rt3JEy1CMsKcj3ckYCrPOrJaS7J4LsxVxUZb_8uu1OH3ilGsex3sMGH9ze8-sA1Rk6TR_j9UyY9R4Gerf1h2aHAZy_-VmEBuG5Htv7I5clLmmqMz0gk0xn3vvTk_IQtQZYKUIzDPPgoDtiFZZ2duRruSA9wjNBezGy6fNo0ArkBSwxLKv3Uwq1ALic\",\"tag\":\"zqqK7FKMHXFnOyMODCXMAw\"}",
"errors": []
}
```
and http://192.168.4.172:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/login/status with http get method
response is
{
"tokenPresent": false,
"headerPresent": false,
"httpsMode": true
}
```
After the request finished, the page not redirect to the manage page. It still show the login form.
Expected result
After login success, redirect to the manage page.
lvshuang
All 12 comments
Not a bug. Works as designed.
http://192.168.4.172:8001
NOTE: Dashboard should not be exposed publicly using kubectl proxy command as it only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.
/close
floreks
on 13 Nov 2019
@floreks: Closing this issue.
In response to this:
Not a bug. Works as designed.
http://192.168.4.172:8001
NOTE: Dashboard should not be exposed publicly using kubectl proxy command as it only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 13 Nov 2019
@floreks @k8s-ci-robot Thanks very much.
lvshuang
on 13 Nov 2019
@lvshuang 您好 我也遇到了跟您类似的问题,我也尝试使用kubectl port-forward的方式,
kubectl port-forward --address 0.0.0.0 -n kube-system service/kubernetes-dashboard 10443:443
但是我依然不能访问dashboard,请问你是怎么解决的 谢谢 我的访问地址
http://我的公网IP:10443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
bidianqing
on 16 Nov 2019
@bidianqing 我尝试了 port-forward, nodeport, ingress 都不行,还在努力解决中
lvshuang
on 27 Nov 2019
@bidianqing kubectl port-forward -n kube-system service/kubernetes-dashboard 10443:443 --address 0.0.0.0
https://node-id:10443
lvshuang
on 27 Nov 2019
Not a bug. Works as designed.
@floreks Sorry to say, but this is really confusing. You say it's a feature, but I guess everyone run into this would say it's an unexpected behavior until they found this issue page, because there is no error in console, not a warning in kubernetes-dashboard's log, nothing. For me, login in kubernetes dashboard is still one of the most annoying thing in working with a kubernetes cluster. This is so upsetting.
lentil1016
on 5 Jan 2020
Who in DevOp team will use the localhost of the dashboard to do daily work?
I strongly suggest the recommended.yaml works for non-localhost access out-of-the-box.
Agree to lentil1016 "login in kubernetes dashboard is still one of the most annoying thing in working with a kubernetes cluster. This is so upsetting."
ghkamfung
on 20 Jan 2020
guys, I solved this problem by adding ssh local port forwarding:
ssh -L localhost:8001:localhost:8001 -NT user@node-ip
then you can open http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ in local broswer
wang0618
on 19 Feb 2020
It's much easier to simply use kubectl proxy instead of exposing such proxy on your own. This is not safe.
floreks
on 19 Feb 2020
guys, I solved this problem by adding ssh local port forwarding:
ssh -L localhost:8001:localhost:8001 -NT user@node-ipthen you can open http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ in local broswer
This is also my solution for now.
ghkamfung
on 20 Feb 2020
Hello all,
In my case the chrome was blocking the request. when tried in Firefox it worked fine.
UnluckyAj
on 13 Aug 2020
Related issues
minminmsn
·
4Comments
billcloud-me
·
5Comments
wu105
·
3Comments
MichaelJCole
·
5Comments
maciaszczykm
·
4Comments
Most helpful comment
Who in DevOp team will use the localhost of the dashboard to do daily work?
I strongly suggest the recommended.yaml works for non-localhost access out-of-the-box.
Agree to lentil1016 "login in kubernetes dashboard is still one of the most annoying thing in working with a kubernetes cluster. This is so upsetting."