-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dashboard not working after re-deployment in GCE #2415
Comments
This looks to me like privilege escalation protection. Are you sure that with the account you want to create apply the |
Exactly, as @marco-jantke said. Just look at the error message. It says forbidden, which means you do not have privileges to create all resources. Only cluster admin can deploy Dashboard. |
@marco-jantke @floreks I did look at them, but I created a fresh new cluster, shouldnt my account be the administrator then? |
I don't know GCE cluster setup so I can't tell if it should or not. I see however that server responds with |
Make sure to grant yourself in GC IAM the Container Engine Admin/Cluster Admin rights. Hope this helps, but further support for that is not part of the kubernetes/dashboard project. |
Hi, I am a cluster admin and I am still getting the same error, any ideas? |
Also, because my master's had been updated to 1.7.6-gke.1, the dashboard stopped working |
The dashboard has stopped working for me on 1.7.6-gke.1 as well across 5 clusters. I can see that my nodes are still at 1.7.5. |
I have exactly same problem, with nodes being stuck on 1.7.5. Trying to
update them yields an error.
I tried to manually deploy dashboard, but it does not work as well, showing
same errors (missing static files).
Best, Bartosz
…--
Bartosz Hernas
+49 174 971 63 46 <00491749716346>
hern.as
<https://twitter.com/bartosz> <https://www.facebook.com/bhernas>
<https://www.linkedin.com/in/bhernas>
On Wed, Oct 11, 2017 at 7:25 PM, Jeremy Shapiro ***@***.***> wrote:
The dashboard has stopped working for me on 1.7.6-gke.1 as well across 5
clusters. I can see that my nodes are still at 1.7.5.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2415 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA-mMwT1jBQlkg_kc5JESzH719aV3FZjks5srPoWgaJpZM4PmD7X>
.
|
"Stopped working" does not really help us diagnose the problem. We need much more details together with logs from Dashboard to be able to help or point you in the right direction. |
Same issue here, kube 1.7.6-gke.1 on gke, cluster admin, still getting the error : Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml": roles.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], ResourceNames:["heapster"], APIGroups:[""], Verbs:["proxy"]}] user=&{******* [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[] Was deploying correctly before upgrading the master from 1.7.5 to 1.7.6 |
same here |
Experiencing the same issue here. kubernetes 1.8.4 Error:
|
User that you want to create Dashboard with has no permissions to create Role with some verbs. You need to use admin account that has all the privileges to create objects in the cluster. |
@floreks I'm not using any specific user, other than Can you explain a little further what I'm doing wrong? Here is a copy of my kubeconfig:
|
I ran into the same problem running on a fresh GKE 1.8.3 cluster. I have the cluster-admin role binding active for my user (
I am a bit at a loss because I would think that having cluster wide admin RBAC setup for my user should make this kind or error impossible. What can I do to debug this problem further? Thanks! |
GKE kubernetes setup is more restrictive AFAIK. You need to use their API to somehow grant you necessary privileges. |
Hi @floreks I think we're still unsure how to resolve this issue. I am attempting this on AWS, but it is basically the same as a bare metal install.
Otherwise is there some other way in which I'm supposed to run this "as the admin user"? |
I am pretty sure that this setup is not same as "bare metal" nor kubeadm, because I have used both and there is no problem with deploying Dashboard. It has to be environment specific issue and your "admin" is not an actual admin with all privileges. I can't solve this for you as I don't have access to GKE nor AWS to test their deployments of kubernetes. This might help with GKE setup: https://cloud.google.com/kubernetes-engine/docs/how-to/iam-integration I believe you need to use gcloud and their API to grant yourself more privileges. As for AWS this might be a similar case. |
The AWS deployment I have is an environment that is simply running on top of AWS, hence why its like a bare metal deployment. It seems beside the point, but just clarifying that its not on GKE/GC. Is there a setting or |
Can you paste api-server parameters you are using to start it? |
@floreks, and everyone, I think I managed to fix the issue (at least for my setup). THESE ARE ALL THE STEPS I USED: First I determined that I did not have the correct roles installed, which should be setup by the api-server, by default:
I needed to run the This is verified in the
This is not a production recommended solution, so I needed to bind it to a role.
Next I discovered that the only role that is enabled by default for SuperUser access is the
I changed my
I was able to successfully query:
Lastly, with the correct permissions and roles bound, I could create Dashboard with correct permissions, using only RBAC:
This is what worked for me, I hope anyone who finds this finds it helpful. 👍 |
Great feedback :) This is probably the same issue with GKE. There are some additional steps required to enable RBACs. We'll link this solution to our FAQ so everyone can benefit from it. |
If you enabled RBAC, just type kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user $(gcloud config get-value account) and ➜ ~ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
secret "kubernetes-dashboard-certs" unchanged
serviceaccount "kubernetes-dashboard" unchanged
role "kubernetes-dashboard-minimal" created
rolebinding "kubernetes-dashboard-minimal" unchanged
deployment "kubernetes-dashboard" unchanged
service "kubernetes-dashboard" unchanged |
I also had a test cluster and had the same issue. Adding |
I found that even with the owner role "Full access to all resources", the suggestion from mofelee is needed on GKE: kubectl create clusterrolebinding cluster-admin-binding |
this is the true resolution . |
Environment
Steps to reproduce
Have the defualt GCE cluster running with 1.7.5. Verify the dashboard works on http://localhost:8001/ui
Then try to deploy the recomended version:
https://github.com/kubernetes/dashboard/blob/master/src/deploy/recommended/kubernetes-dashboard.yaml
Observed result
The recommended version fails with error:
Expected result
To see the dashboard
Comments
A collegue of mine deployed this kubernetes-dashboard, after a mistake and now I cant get it back. Iv tried the alternative version and other things, but I cant seem to get it working again
The text was updated successfully, but these errors were encountered: