Welcome to the Linux Foundation Forum!

LAB 13.3 trouble finding token

k0dard
k0dard Posts: 115
in LFS258 Class Forum

I followed lab steps and the dashboard page is loading.
Just to mention that other than changing port type to NodePort, I also had to edit values.yaml to enable insecure login

extraArgs:
  - --enable-insecure-login

or otherwise I was only getting an error page about requesting HTTP website over HTTPS

So, now I am at step 6 but I don't have dashboard-kubernetes-dashboard-token- object.

kubectl get serviceaccounts

NAME                             SECRETS   AGE
dashboard-kubernetes-dashboard   0         19m
default                          1         5d1h
myingress-ingress-nginx          0         19h

I noticed that in the lab that SECRETS is 1 for dashboard-kubernetes-dashboard and I get 0...

kubectl get secrets

NAME                                   TYPE                                  DATA   AGE
dashboard-kubernetes-dashboard-certs   Opaque                                0      14m
default-token-56tsp                    kubernetes.io/service-account-token   3      5d1h
kubernetes-dashboard-csrf              Opaque                                1      14m
kubernetes-dashboard-key-holder        Opaque                                2      14m
myingress-ingress-nginx-admission      Opaque                                3      19h
sh.helm.release.v1.dashboard.v1        helm.sh/release.v1                    1      14m
sh.helm.release.v1.myingress.v1        helm.sh/release.v1                    1      19h

What am I missing?

Thanks in advance

Comments

  • k0dard
    k0dard Posts: 115

    UPDATE

    Apparently Kubernetes does not automatically create secrets anymore starting from 1.24

    I've tried manually creating a secret for service account, and it seemed to have worked, however when I kubectl get serviceaccount I still get 0 secrets for dashboard-kubernetes-dashboard although secret is visible when I kubectl get secrets

    I also tried creating a token with kubectl create token

    However, I've ran into another issue which is disabled login even with - --enable-insecure-login flag set:

    Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost. Read more here

  • chrispokorni
    chrispokorni Posts: 1,842

    Hi @k0dard,

    I can't remember having to enable insecure login, but I did have to enable the integration with the metrics-server around line 257 of values.yaml (the metrics-server was pre-installed on my cluster, otherwise there was an install option in values.yaml as well).

    Now back to the token... or the lack of it. Secrets holding service account tokens are no longer created by default, so it becomes the user's responsibility to create the token secret for the desired service account.

    The command is simple, from the official documentation:

    kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: kubernetes-dashboard-token
  annotations:
    kubernetes.io/service-account.name: kubernetes-dashboard
type: kubernetes.io/service-account-token
EOF

    It creates a secret name kubernetes-dashboard-token associated with my kubernetes-dashboard service account (replace the name if your service account has a different name). You can also create the secret definition manifest first, and then run the kubectl apply command.

    Once created, you can describe the secret to reveal the value of the token:

    kubectl describe secrets kubernetes-dashboard-token

    Regards,
    -Chris

  • headkaze
    headkaze Posts: 15
    edited August 2022

    Using imperative commands:

    $ kubectl get serviceaccounts -n kubernetes-dashboard
NAME                   SECRETS   AGE
default                0         10m
kubernetes-dashboard   0         9m44s
$ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
$ kubectl get clusterrolebinding dashaccess
NAME         ROLE                        AGE
dashaccess   ClusterRole/cluster-admin   9m30s
$ curl ifconfig.io
173.28.225.52
$ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

    I didn't need --enable-insecure-login but I did need --kubelet-insecure-tls

  • k0dard
    k0dard Posts: 115

    @chrispokorni

    Thanks for your help!

    When you say enable the integration with the metrics-server, do you mean metricsScraper option (line 252 in my values.yaml). Otherwise, there is metric-server option (line 279) but in the comment it is written

    Enable this if you don't already have metrics-server enabled on your cluster and want to use it with dashboard metrics-scraper

    which is not the case...

    To get back to the issue, after some additional testing I've got the following:

    • if I don't set protocolHttp to true (line 139), I always get the same error (Client sent an HTTP request to an HTTPS server.)
    • if I set protocolHttp to true I can see the metrics without logging in, token or anything
    • if I add - --enable-insecure-login I cannot login anymore with or without token, on the bottom of the screen I get Insecure access message mentioned in my OP and Sign in button stays inactive even if I paste a token.

    This seems strange, doesn't it?

    @headkaze If you read the update I've posted just under my OP you'll see that I've already tried adding token with kubectl create token command, so I don't really see what was the point of your post? You say you needed --kubelete-insecure-tls, are you referring to the setup of metrics-server?

  • headkaze
    headkaze Posts: 15
    edited September 2022

    I make notes when I do a LAB so I'll paste them in here assuming you've already done the metrics-server part correctly.

    $ helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
"kubernetes-dashboard" has been added to your repositories
$ helm pull kubernetes-dashboard/kubernetes-dashboard
$ tar -zxvf kubernetes-dashboard-5.7.0.tgz
$ cd kubernetes-dashboard
$ nano values.yaml

    I did have to enable the metricsScraper otherwise the dashboard doesn't show any CPU or memory usage etc.

    ...
service:
  type: NodePort
  # Dashboard service port
  externalPort: 443
...
metricsScraper:
  ## Wether to enable dashboard-metrics-scraper
  enabled: true
  image:
    repository: kubernetesui/metrics-scraper
    tag: v1.0.8
  resources: {}
...

    $ kubectl create ns kubernetes-dashboard
namespace/kubernetes-dashboard created
$ helm install kubernetes-dashboard --namespace kubernetes-dashboard .

    Then I created the cluster role and token (as posted above)

    $ kubectl get serviceaccounts -n kubernetes-dashboard
NAME                   SECRETS   AGE
default                0         10m
kubernetes-dashboard   0         9m44s
$ kubectl create clusterrolebinding dashaccess --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/dashaccess created
$ kubectl get clusterrolebinding dashaccess
NAME         ROLE                        AGE
dashaccess   ClusterRole/cluster-admin   9m30s
$ curl ifconfig.io
173.28.225.52
$ kubectl -n kubernetes-dashboard create token kubernetes-dashboard

    Finally to get the url:

    $ export NODE_PORT=$(kubectl get -n kubernetes-dashboard -o jsonpath="{.spec.ports[0].nodePort}" services kubernetes-dashboard)
$ export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
$ echo https://$NODE_IP:$NODE_PORT/

    In my case I place in my browser https://mycluster-cp1:31370 then it should take you to a login where you paste in your token.

  • k0dard
    k0dard Posts: 115

    @headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

    Can you try helm repo update and then pull new version

    As I've said my problem is that Sing in button is inactive even when I enter the token

  • chrispokorni
    chrispokorni Posts: 1,842

    Hi @k0dard,

    Yes, I did mean the metricsScraper, which oddly is on a different line in my values.yaml file :wink:

    As far as https - it is default, just as @headkaze confirmed in his comment. If you have a chance to describe the kubernetes-dashboard service, the ports object defines port number 443 tagged with name=https, which even as a NodePort accepts https traffic.

    The protocolHttp behavior makes some sense. When false, it allows the https default protocol, and throws the http request to https server error if the request is http instead of the expected https. When true, it overrides https and accepts http traffic instead.

    I have not yet explored the enable-insecure-login so I can't comment on its behavior.

    Regards,
    -Chris

  • headkaze
    headkaze Posts: 15
    edited September 2022

    @k0dard said:
    @headkaze I see that you're pulling v5.7.0, which is old, current version is 5.10.0

    I just tried going through the LAB from scratch but this time installing Kubernetes Dashboard 5.10.0 and I had no problem pasting in my token and clicking "Sign In". Maybe try a different browser?

  • k0dard
    k0dard Posts: 115
    edited September 2022

    It turns out that my browser, since the SSL certificate is not valid, automatically redirected me to http. If I manually add https:// before my server IP and accept the security risk, the Sign in button becomes active again...

    Thanks everyone for your help, I appreciate it!

Categories

Upcoming Training