How to fix – “message”: “services \”https:kubernetes-dashboard:\” is forbidden: User \”system:anonymous\” cannot get services/proxy in the namespace \”kube-system\””
Let me get to the point - You are trying to setup Kubernetes dashboard and you have pretty much done the following 2 steps -
Step 1 - Used kubectl command to install kubernetes dashaboard (Note- If the url is not accessible then please refer to https://kubernetes.io or https://github.com/kubernetes/dashboard for updated URL)
1kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
Step 2 - Started your kubernetes API server using
1kubectl proxy
But after above steps when you tried to access the kubernetes dashboard URL (http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
.) , you got the following error message.
1{
2 "kind": "Status",
3 "apiVersion": "v1",
4 "metadata": {
5
6 },
7 "status": "Failure",
8 "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
9 "reason": "Forbidden",
10 "details": {
11 "name": "https:kubernetes-dashboard:",
12 "kind": "services"
13 },
14 "code": 403
15}
Well do not worry we are going to fix the issue and we will see how RBAC works in kubernetes.
Root Cause of Error
You do not have user certificate installed at your end and that is the reason kubernetes does not trust you, eventually leading to HTTP 403 forbidden error .
Solution
Install the certificate into your browser, so that kubernetes trust your request. But the questions comes from where to get the certificate ?
So we are going to generate the certificate using kubeconfig file which is generated by kubeadm. Follow the below steps for generating the certificate
(If you are interested more in visual way to troubleshoot then please refer to following lab session as well as follow the guide.)
Step 1 - Locate your kubeconfig file
If you are using vagrant setup just like me than you should go and look for /home/vagrant/.kube/config or /etc/kubernetes/admin.conf
If you couldn’t find it then use the following command to search
1find / -name '*.kube*' 2>/dev/null
It will lead to the kubeconfig file location
Step 2 - Generate kubecfg.crt
I am assuming that your kubeconfig file is located at /home/vagrant/.kube/config
Switch to /home/vagrant
1cd /home/vagrant
Run the following certificate generation command
1grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
Now you should have kubecfg.crt generated at /home/vagrant
Step 3 - Generate kubecfg.key
To generate the kubecfg.key use the following command
1grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
Now you should have kubecfg.key generated at /home/vagrant
Step 4 - Generate kubecfg.p12
Use the following command to generate the kubecfg.p12
1openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
Now you should have kubecfg.p12 generated at /home/vagrant
Step 5 - Copy generated kubecfg.p12 to you local development machine
Use the scp command for coping the kubecfg.p12 file to your local development machine
1scp kubecfg.p12 rahul@192.168.1.125:/home/rahul/Jhooq/Kubernetes/vagrant
So now you obtained your kubecfg.p12 file.
Step 6 - Import the kubecfg.p12 to your browser
In my case i am using Firefox so following steps are applicable for firefox but if your using Chrome then i would suggest to refer this link for importing the certificate in Google Chrome
Goto Firefox->Preferences
In the Find in Preferences search box search for Certificates
Now it will open Certificate Manager window
Now click on Import and import your kubecfg.p12 file here. It will ask for the password so please supply the same password which you used while at the time of creation.
And after the successful import it should look like this
That it is. Now you can go back and try accessing the URL again .i.e. - http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
.
You should be able to access that URL successfully.
Summary
To summarize this article we need following file -
- .crt (kubecfg.crt)
- .key(kubecfg.key)
- .p12(kubecfg.p12)
For fixing the kubernetes dashboard error - “message”: “services "https:kubernetes-dashboard:" is forbidden: User "system:anonymous" cannot get services/proxy in the namespace "kube-system"”
Other articles on Devops -
- Part-1 : Setup kubernetes on Ubuntu
- Part-2 : Setup Kubernetes on CentOs
- Part-3 : Setup HA Kubernetes Cluster with Kubespray
- Part-4 : Setup HA Kubernetes with Minikube
- Part-5 : Setup Kubernetes Dashboard for local kubernetes cluster
- Part-6 : Setup Kubernetes Dashboard On GCP(Google Cloud Platform)
- Part-7 : How to use Persistent Volume and Persistent Volume Claims in Kubernetes
- Part-8 : Deploy Spring Boot Microservice on local Kubernetes cluster
- Part-9 : Deploy Spring Boot Microservice on Cloud Platform(GCP)
- Part-10 : Setting up Ingress controller NGINX along with HAproxy inside Kubernetes cluster
- Part-11 : CI/CD Kubernetes | Setting up CI/CD Jenkins pipeline for kubernetes