How to fix kubernetes dashboard forbidden 403 error – message services https kubernetes-dashboard is forbidden User
The objective of this article is to troubleshoot the https kubernetes-dashboard is forbidden error which you might have encountered after setting up the kubernetes dashboard but while trying to access it via browser it is throwing you forbidden error message.
This blog is divided into two section -
1. The actual kubernetes dashboard forbidden error
Let me get straight to the point - You are trying to setup Kubernetes dashboard. You have installed the kubernetes dashboard using kubectl command -
1kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml
Also you have started your kubernetes API server using
1kubectl proxy
But after above steps when you tried to access the kubernetes dashboard URL (http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/) , you got the following error message.
1{
2 "kind": "Status",
3 "apiVersion": "v1",
4 "metadata": {
5
6 },
7 "status": "Failure",
8 "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
9 "reason": "Forbidden",
10 "details": {
11 "name": "https:kubernetes-dashboard:",
12 "kind": "services"
13 },
14 "code": 403
15}
2. Root Cause of Error
You do not have user certificate installed at your end and that is the reason kubernetes does not trust you, eventually leading to HTTP 403 forbidden error .
3. How to Troubleshoot
Install the certificate into your browser, so that kubernetes trust your request. But the questions comes from where to get the certificate ?
So we are going to generate the certificate using kubeconfig file which is generated by kubeadm. Follow the below steps for generating the certificate
(If you are interested more in visual way to troubleshoot then please refer to following lab session as well as follow the guide.)
Step 1 - Locate your kubeconfig file
If you are using vagrant setup just like me than you should go and look for /home/vagrant/.kube/config or /etc/kubernetes/admin.conf
If you couldn't find it then use the following command to search
1find / -name '*.kube*' 2>/dev/null
It will lead to the kubeconfig file location
Step 2 - Generate kubecfg.crt
I am assuming that your kubeconfig file is located at /home/vagrant/.kube/config
Switch to /home/vagrant
1cd /home/vagrant
Run the following certificate generation command
1grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
Now you should have kubecfg.crt generated at /home/vagrant
Step 3 - Generate kubecfg.key
To generate the kubecfg.key use the following command
1grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
Now you should have kubecfg.key generated at /home/vagrant
Step 4 - Generate kubecfg.p12
Use the following command to generate the kubecfg.p12
1openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
Now you should have kubecfg.p12 generated at /home/vagrant
Step 5 - Copy generated kubecfg.p12 to you local development machine
Use the scp command for coping the kubecfg.p12 file to your local development machine
1scp kubecfg.p12 rahul@192.168.1.125:/home/rahul/Jhooq/Kubernetes/vagrant
So now you obtained your kubecfg.p12 file.
Step 6 - Import the kubecfg.p12 to your browser
In my case i am using Firefox so following steps are applicable for firefox but if your using Chrome then i would suggest to refer this link for importing the certificate in Google Chrome
Goto Firefox->Preferences
In the Find in Preferences search box search for Certificates
Now it will open Certificate Manager window
Now click on Import and import your kubecfg.p12 file here. It will ask for the password so please supply the same password which you used while at the time of creation.
And after the successful import it should look like this
That it is. Now you can go back and try accessing the URL again .i.e. - http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.
You should be able to access that URL successfully.
Summary
To summarize this article we need following file -
- .crt (kubecfg.crt)
- .key(kubecfg.key)
- .p12(kubecfg.p12)
For fixing the kubernetes dashboard error - "message": "services "https:kubernetes-dashboard:" is forbidden: User "system:anonymous" cannot get services/proxy in the namespace "kube-system""
Learn more On Kubernetes -
- Setup kubernetes on Ubuntu
- Setup Kubernetes on CentOs
- Setup HA Kubernetes Cluster with Kubespray
- Setup HA Kubernetes with Minikube
- Setup Kubernetes Dashboard for local kubernetes cluster
- Setup Kubernetes Dashboard On GCP(Google Cloud Platform)
- How to use Persistent Volume and Persistent Volume Claims in Kubernetes
- Deploy Spring Boot Microservice on local Kubernetes cluster
- Deploy Spring Boot Microservice on Cloud Platform(GCP)
- Setting up Ingress controller NGINX along with HAproxy inside Kubernetes cluster
- CI/CD Kubernetes | Setting up CI/CD Jenkins pipeline for kubernetes
- kubectl export YAML | Get YAML for deployed kubernetes resources(service, deployment, PV, PVC....)
- How to setup kubernetes jenkins pipeline on AWS?
- Implementing Kubernetes liveness, Readiness and Startup probes with Spring Boot Microservice Application?
- How to fix kubernetes pods getting recreated?
- How to delete all kubernetes PODS?
- How to use Kubernetes secrets?
- Share kubernetes secrets between namespaces?
- How to Delete PV(Persistent Volume) and PVC(Persistent Volume Claim) stuck in terminating state?
- Delete Kubernetes POD stuck in terminating state?
Posts in this Series
- Kubernetes Cheat Sheet for day to day DevOps operations?
- Delete Kubernetes POD stuck in terminating state?
- How to Delete PV(Persistent Volume) and PVC(Persistent Volume Claim) stuck in terminating state?
- Share kubernetes secrets between namespaces?
- How to use Kubernetes secrets?
- How to delete all kubernetes PODS?
- kubernetes pods getting recreated?
- Implementing Kubernetes liveness, Readiness and Startup probes with Spring Boot Microservice Application?
- kubectl export yaml OR How to generate YAML for deployed kubernetes resources
- Kubernetes Updates
- CI/CD Kubernetes | Setting up CI/CD Jenkins pipeline for kubernetes
- Kubernetes cluster setup with Jenkins
- How to use Persistent Volume and Persistent Claims | Kubernetes
- How to fix ProvisioningFailed persistentvolume controller no volume plugin matched
- Fixing – Cannot bind to requested volume: storageClasseName does not match
- Fixing – pod has unbound immediate persistentvolumeclaims or cannot bind to requested volume incompatible accessmode
- How to fix kubernetes dashboard forbidden 403 error – message services https kubernetes-dashboard is forbidden User
- How to fix Kubernetes – error execution phase preflight [preflight]
- Deploy Spring Boot microservices on kubernetes?
- How to fix – ansible_memtotal_mb minimal_master_memory_mb
- How to use kubespray – 12 Steps for Installing a Production Ready Kubernetes Cluster
- How to setup kubernetes on CentOS 8 and CentOS 7
- How to fix – How to fix - ERROR Swap running with swap on is not supported. Please disable swap
- 14 Steps to Install kubernetes on Ubuntu 20.04(bento/ubuntu-20.04), 18.04(hashicorp/bionic64)
- Kubernetes Dashboard | Kubernetes Admin GUI | Kubernetes Desktop Client
- Install Kubernetes with Minikube