dashboard: kubernetes dashboard does not login throws object object error

Hi,

I have deployed RBAC enabled dashboard. With my RBAC enabled user configs, I am able to run all type of kubectl commands and it works fine. But when I try to login to dashboard with token generated through ServiceAccount it throws “object object error”. This service account has access to kube-system namespaces.

Dashboard version: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.1
Kubernetes version: 1.8.4
Operating system: centos

Is there anyway to find what is throwing this error in the kubernetes log?

How to Re-produce it? -> Open Dashboard as “kubectl proxy” -> URL : http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login -> Login with Service Account Token “” -> Throws below error

Find attached the screen shot

screen shot 2018-01-17 at 12 28 50 pm

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 1
Comments: 18 (7 by maintainers)

Most upvoted comments

I was able to get around this with the following role for users:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-view
  namespace: kube-system
rules:
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["kubernetes-dashboard", "http:kubernetes-dashboard:", "https:kubernetes-dashboard:"]
  verbs: ["get", "list", "view"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["kubernetes-dashboard", "http:kubernetes-dashboard:", "https:kubernetes-dashboard:"]
  verbs: ["get", "list", "view", "create"]

Specifically, the create permissions on services/proxy for https:kubernetes-dashboard: was missing.

AlexB138 on Mar 19, 2018

@bixiyan Your case is different and it is described already in our documentation why this is not working. It was explained multiple times already. Read NOTE part of kubectl proxy part: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above#kubectl-proxy.

floreks on Jan 24, 2018

I faced with the same problem i cant POST to 127.0.0.1:8001/.../login with my serviceaccount. When I ran kubectl proxy with admin default .kube/config i was able to do login with serviceaccount token

POST http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/login 403 (Forbidden)

my service account role:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: reader-access
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["view","list","get"]
- nonResourceURLs: ["/ui"]
  verbs: ["get", "post"]

what should I add there? I find out, it works with

rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["view","list","get", "create"]

But what shoud it be able to create, which kind of resources ? Can I limit it by name and resource?

admssa on Mar 9, 2018