Welcome to the Linux Foundation Forum!

LAB 13.3 trouble finding token

I followed lab steps and the dashboard page is loading.
Just to mention that other than changing port type to NodePort, I also had to edit values.yaml to enable insecure login

  1. extraArgs:
  2. - --enable-insecure-login

or otherwise I was only getting an error page about requesting HTTP website over HTTPS

So, now I am at step 6 but I don't have dashboard-kubernetes-dashboard-token- object.

kubectl get serviceaccounts

  1. NAME SECRETS AGE
  2. dashboard-kubernetes-dashboard 0 19m
  3. default 1 5d1h
  4. myingress-ingress-nginx 0 19h

I noticed that in the lab that SECRETS is 1 for dashboard-kubernetes-dashboard and I get 0...

kubectl get secrets

  1. NAME TYPE DATA AGE
  2. dashboard-kubernetes-dashboard-certs Opaque 0 14m
  3. default-token-56tsp kubernetes.io/service-account-token 3 5d1h
  4. kubernetes-dashboard-csrf Opaque 1 14m
  5. kubernetes-dashboard-key-holder Opaque 2 14m
  6. myingress-ingress-nginx-admission Opaque 3 19h
  7. sh.helm.release.v1.dashboard.v1 helm.sh/release.v1 1 14m
  8. sh.helm.release.v1.myingress.v1 helm.sh/release.v1 1 19h

What am I missing?

Thanks in advance

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 115

    UPDATE

    Apparently Kubernetes does not automatically create secrets anymore starting from 1.24

    I've tried manually creating a secret for service account, and it seemed to have worked, however when I kubectl get serviceaccount I still get 0 secrets for dashboard-kubernetes-dashboard although secret is visible when I kubectl get secrets

    I also tried creating a token with kubectl create token

    However, I've ran into another issue which is disabled login even with - --enable-insecure-login flag set:

    Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more here

  • Posts: 2,451

    Hi @k0dard,

    I can't remember having to enable insecure login, but I did have to enable the integration with the metrics-server around line 257 of values.yaml (the metrics-server was pre-installed on my cluster, otherwise there was an install option in values.yaml as well).

    Now back to the token... or the lack of it. Secrets holding service account tokens are no longer created by default, so it becomes the user's responsibility to create the token secret for the desired service account.

    The command is simple, from the official documentation:

    1. kubectl apply -f - <<EOF
    2. apiVersion: v1
    3. kind: Secret
    4. metadata:
    5. name: kubernetes-dashboard-token
    6. annotations:
    7. kubernetes.io/service-account.name: kubernetes-dashboard
    8. type: kubernetes.io/service-account-token
    9. EOF

    It creates a secret name kubernetes-dashboard-token associated with my kubernetes-dashboard service account (replace the name if your service account has a different name). You can also create the secret definition manifest first, and then run the kubectl apply command.

    Once created, you can describe the secret to reveal the value of the token:

    kubectl describe secrets kubernetes-dashboard-token

    Regards,
    -Chris

  • Posts: 15
    edited August 2022

    Using imperative commands:

    1. $ kubectl get serviceaccounts -n kubernetes-dashboard
    2. NAME SECRETS AGE
    3. default 0 10m
    4. kubernetes-dashboard 0 9m44s
    5. $ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
    6. clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
    7. $ kubectl get clusterrolebinding dashaccess
    8. NAME ROLE AGE
    9. dashaccess ClusterRole/cluster-admin 9m30s
    10. $ curl ifconfig.io
    11. 173.28.225.52
    12. $ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

    I didn't need --enable-insecure-login but I did need --kubelet-insecure-tls

  • Posts: 115

    @chrispokorni

    Thanks for your help!

    When you say enable the integration with the metrics-server, do you mean metricsScraper option (line 252 in my values.yaml). Otherwise, there is metric-server option (line 279) but in the comment it is written

    Enable this if you don't already have metrics-server enabled on your cluster and want to use it with dashboard metrics-scraper

    which is not the case...

    To get back to the issue, after some additional testing I've got the following:

    • if I don't set protocolHttp to true (line 139), I always get the same error (Client sent an HTTP request to an HTTPS server.)
    • if I set protocolHttp to true I can see the metrics without logging in, token or anything
    • if I add - --enable-insecure-login I cannot login anymore with or without token, on the bottom of the screen I get Insecure access message mentioned in my OP and Sign in button stays inactive even if I paste a token.

    This seems strange, doesn't it?

    @headkaze If you read the update I've posted just under my OP you'll see that I've already tried adding token with kubectl create token command, so I don't really see what was the point of your post? You say you needed --kubelete-insecure-tls, are you referring to the setup of metrics-server?

  • Posts: 15
    edited September 2022

    I make notes when I do a LAB so I'll paste them in here assuming you've already done the metrics-server part correctly.

    1. $ helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
    2. "kubernetes-dashboard" has been added to your repositories
    3. $ helm pull kubernetes-dashboard/kubernetes-dashboard
    4. $ tar -zxvf kubernetes-dashboard-5.7.0.tgz
    5. $ cd kubernetes-dashboard
    6. $ nano values.yaml

    I did have to enable the metricsScraper otherwise the dashboard doesn't show any CPU or memory usage etc.

    1. ...
    2. service:
    3. type: NodePort
    4. # Dashboard service port
    5. externalPort: 443
    6. ...
    7. metricsScraper:
    8. ## Wether to enable dashboard-metrics-scraper
    9. enabled: true
    10. image:
    11. repository: kubernetesui/metrics-scraper
    12. tag: v1.0.8
    13. resources: {}
    14. ...
    1. $ kubectl create ns kubernetes-dashboard
    2. namespace/kubernetes-dashboard created
    3. $ helm install kubernetes-dashboard --namespace kubernetes-dashboard .

    Then I created the cluster role and token (as posted above)

    1. $ kubectl get serviceaccounts -n kubernetes-dashboard
    2. NAME SECRETS AGE
    3. default 0 10m
    4. kubernetes-dashboard 0 9m44s
    5. $ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
    6. clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
    7. $ kubectl get clusterrolebinding dashaccess
    8. NAME ROLE AGE
    9. dashaccess ClusterRole/cluster-admin 9m30s
    10. $ curl ifconfig.io
    11. 173.28.225.52
    12. $ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

    Finally to get the url:

    1. $ export NODE_PORT=$(kubectl get -n kubernetes-dashboard -o jsonpath="{.spec.ports[0].nodePort}" services kubernetes-dashboard)
    2. $ export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
    3. $ echo https://$NODE_IP:$NODE_PORT/

    In my case I place in my browser https://mycluster-cp1:31370 then it should take you to a login where you paste in your token.

  • Posts: 115

    @headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

    Can you try helm repo update and then pull new version

    As I've said my problem is that Sing in button is inactive even when I enter the token

  • Hi @k0dard,

    Yes, I did mean the metricsScraper, which oddly is on a different line in my values.yaml file :wink:

    As far as https - it is default, just as @headkaze confirmed in his comment. If you have a chance to describe the kubernetes-dashboard service, the ports object defines port number 443 tagged with name=https, which even as a NodePort accepts https traffic.

    The protocolHttp behavior makes some sense. When false, it allows the https default protocol, and throws the http request to https server error if the request is http instead of the expected https. When true, it overrides https and accepts http traffic instead.

    I have not yet explored the enable-insecure-login so I can't comment on its behavior.

    Regards,
    -Chris

  • Posts: 15
    edited September 2022

    @k0dard said:
    @headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

    I just tried going through the LAB from scratch but this time installing Kubernetes Dashboard 5.10.0 and I had no problem pasting in my token and clicking "Sign In". Maybe try a different browser?

  • Posts: 115
    edited September 2022

    It turns out that my browser, since the SSL certificate is not valid, automatically redirected me to http. If I manually add https:// before my server IP and accept the security risk, the Sign in button becomes active again...

    Thanks everyone for your help, I appreciate it!

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training