LAB 13.3 trouble finding token

k0dard

I followed lab steps and the dashboard page is loading.
Just to mention that other than changing port type to NodePort, I also had to edit values.yaml to enable insecure login

extraArgs:
  - --enable-insecure-login

or otherwise I was only getting an error page about requesting HTTP website over HTTPS

So, now I am at step 6 but I don't have dashboard-kubernetes-dashboard-token- object.

kubectl get serviceaccounts

NAME                             SECRETS   AGE
dashboard-kubernetes-dashboard   0         19m
default                          1         5d1h
myingress-ingress-nginx          0         19h

I noticed that in the lab that SECRETS is 1 for dashboard-kubernetes-dashboard and I get 0...

kubectl get secrets

NAME                                   TYPE                                  DATA   AGE
dashboard-kubernetes-dashboard-certs   Opaque                                0      14m
default-token-56tsp                    kubernetes.io/service-account-token   3      5d1h
kubernetes-dashboard-csrf              Opaque                                1      14m
kubernetes-dashboard-key-holder        Opaque                                2      14m
myingress-ingress-nginx-admission      Opaque                                3      19h
sh.helm.release.v1.dashboard.v1        helm.sh/release.v1                    1      14m
sh.helm.release.v1.myingress.v1        helm.sh/release.v1                    1      19h

What am I missing?

Thanks in advance

k0dard

UPDATE

Apparently Kubernetes does not automatically create secrets anymore starting from 1.24

I've tried manually creating a secret for service account, and it seemed to have worked, however when I kubectl get serviceaccount I still get 0 secrets for dashboard-kubernetes-dashboard although secret is visible when I kubectl get secrets

I also tried creating a token with kubectl create token

However, I've ran into another issue which is disabled login even with - --enable-insecure-login flag set:

Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more here

chrispokorni

Hi @k0dard,

I can't remember having to enable insecure login, but I did have to enable the integration with the metrics-server around line 257 of values.yaml (the metrics-server was pre-installed on my cluster, otherwise there was an install option in values.yaml as well).

Now back to the token... or the lack of it. Secrets holding service account tokens are no longer created by default, so it becomes the user's responsibility to create the token secret for the desired service account.

The command is simple, from the official documentation:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-dashboard-token
  annotations:
    kubernetes.io/service-account.name: kubernetes-dashboard
type: kubernetes.io/service-account-token
EOF

It creates a secret name kubernetes-dashboard-token associated with my kubernetes-dashboard service account (replace the name if your service account has a different name). You can also create the secret definition manifest first, and then run the kubectl apply command.

Once created, you can describe the secret to reveal the value of the token:

kubectl describe secrets kubernetes-dashboard-token

Regards,
-Chris

headkaze

Using imperative commands:

$ kubectl get serviceaccounts -n kubernetes-dashboard
NAME                   SECRETS   AGE
default                0         10m
kubernetes-dashboard   0         9m44s
$ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
$ kubectl get clusterrolebinding dashaccess
NAME         ROLE                        AGE
dashaccess   ClusterRole/cluster-admin   9m30s
$ curl ifconfig.io
173.28.225.52
$ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

I didn't need --enable-insecure-login but I did need --kubelet-insecure-tls

k0dard

@chrispokorni

Thanks for your help!

When you say enable the integration with the metrics-server, do you mean metricsScraper option (line 252 in my values.yaml). Otherwise, there is metric-server option (line 279) but in the comment it is written

Enable this if you don't already have metrics-server enabled on your cluster and want to use it with dashboard metrics-scraper

which is not the case...

To get back to the issue, after some additional testing I've got the following:

• if I don't set protocolHttp to true (line 139), I always get the same error (Client sent an HTTP request to an HTTPS server.)
• if I set protocolHttp to true I can see the metrics without logging in, token or anything
• if I add - --enable-insecure-login I cannot login anymore with or without token, on the bottom of the screen I get Insecure access message mentioned in my OP and Sign in button stays inactive even if I paste a token.

This seems strange, doesn't it?

@headkaze If you read the update I've posted just under my OP you'll see that I've already tried adding token with kubectl create token command, so I don't really see what was the point of your post? You say you needed --kubelete-insecure-tls, are you referring to the setup of metrics-server?

headkaze

I make notes when I do a LAB so I'll paste them in here assuming you've already done the metrics-server part correctly.

$ helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
"kubernetes-dashboard" has been added to your repositories
$ helm pull kubernetes-dashboard/kubernetes-dashboard
$ tar -zxvf kubernetes-dashboard-5.7.0.tgz
$ cd kubernetes-dashboard
$ nano values.yaml

I did have to enable the metricsScraper otherwise the dashboard doesn't show any CPU or memory usage etc.

...
service:
  type: NodePort
  # Dashboard service port
  externalPort: 443
...
metricsScraper:
  ## Wether to enable dashboard-metrics-scraper
  enabled: true
  image:
    repository: kubernetesui/metrics-scraper
    tag: v1.0.8
  resources: {}
...

$ kubectl create ns kubernetes-dashboard
namespace/kubernetes-dashboard created
$ helm install kubernetes-dashboard --namespace kubernetes-dashboard . 

Then I created the cluster role and token (as posted above)

$ kubectl get serviceaccounts -n kubernetes-dashboard
NAME                   SECRETS   AGE
default                0         10m
kubernetes-dashboard   0         9m44s
$ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
$ kubectl get clusterrolebinding dashaccess
NAME         ROLE                        AGE
dashaccess   ClusterRole/cluster-admin   9m30s
$ curl ifconfig.io
173.28.225.52
$ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

Finally to get the url:

$ export NODE_PORT=$(kubectl get -n kubernetes-dashboard -o jsonpath="{.spec.ports[0].nodePort}" services kubernetes-dashboard)
$ export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
$ echo https://$NODE_IP:$NODE_PORT/

In my case I place in my browser https://mycluster-cp1:31370 then it should take you to a login where you paste in your token.

k0dard

@headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

Can you try helm repo update and then pull new version

As I've said my problem is that Sing in button is inactive even when I enter the token

chrispokorni

Hi @k0dard,

Yes, I did mean the metricsScraper, which oddly is on a different line in my values.yaml file

As far as https - it is default, just as @headkaze confirmed in his comment. If you have a chance to describe the kubernetes-dashboard service, the ports object defines port number 443 tagged with name=https, which even as a NodePort accepts https traffic.

The protocolHttp behavior makes some sense. When false, it allows the https default protocol, and throws the http request to https server error if the request is http instead of the expected https. When true, it overrides https and accepts http traffic instead.

I have not yet explored the enable-insecure-login so I can't comment on its behavior.

Regards,
-Chris

headkaze

@k0dard said:
@headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

I just tried going through the LAB from scratch but this time installing Kubernetes Dashboard 5.10.0 and I had no problem pasting in my token and clicking "Sign In". Maybe try a different browser?

k0dard

It turns out that my browser, since the SSL certificate is not valid, automatically redirected me to http. If I manually add https:// before my server IP and accept the security risk, the Sign in button becomes active again...

Thanks everyone for your help, I appreciate it!