dashboard: Unable to access Dashboard ("Forbidden")

Environment

Dashboard version: Latest from URL below
Kubernetes version: v1.9.3
Operating system: Ubuntu 16.04.2 LTS
Node.js version:
Go version:

I have seen many similar error reports and tried to follow the advice, but no, it does not work for me. The guide here https://github.com/kubernetes/dashboard seem to be overly simplistic. There is a lot more documentation on authentication, but it remains unclear how much of that is needed to simply get access to the GUI in a lab environment.

Steps to reproduce

Install cluster: sudo kubeadm init --kubernetes-version=$KUBEVERSION --apiserver-advertise-address=$HOSTIP mkdir -p $HOME/.kube sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u)😒(id -g) $HOME/.kube/config

kubectl apply -f https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml kubectl taint nodes --all node-role.kubernetes.io/master:NoSchedule-

Install Dashboard: kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

Run proxy: kubectl proxy

Then from same host: curl http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Observed result

Error: ‘Forbidden’ Trying to reach: ‘https://192.168.216.47:8443/’

Expected result

Some HTML

Comments

I tried creating cluster role bindings as described here https://github.com/kubernetes/dashboard/wiki/Access-control, but with the same result.

$ kubectl get services -n kube-system     
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
calico-etcd            ClusterIP   10.96.232.136    <none>        6666/TCP        24m
kube-dns               ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP   24m
kubernetes-dashboard   ClusterIP   10.110.228.155   <none>        443/TCP         18m

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 23 (8 by maintainers)

Most upvoted comments

The same thing happened to me, but fixed it after starting the proxy service disabling request filtering kubectl proxy --disable-filter=true --address=‘192.168.0.27’, also specifying the IP address just to not use localhost

+22

lloverarcpedro on Nov 5, 2020

Hi folks, my issue is a little different and yet may still have some relevance to what has been discussed here so far, so let me share it with you all.

My cluster runs on three VMware VMs, the control plane is on ubun1811 (192.168.42.161/24) In order to reach dashboard from a remote host, I did the following:

Edited /etc/kubernetes/manifests/kube-apiserver.yaml to have the these two entries under spec -> containers -> command -> kube-apiserver
- –advertise-address=192.168.42.161

–etcd-servers=https://192.168.42.161:2379 Restart kubelet after the change

On ubun1811, as a non-root user, run this proxy command: kubectl proxy --address=‘192.168.42.161’
–accept-hosts=‘^localhost$,^127.0.0.1$,^192.168.42.157$,^192.168.0.11$,^[::1]$’
–disable-filter=true
–port=8011

As a result, I am able to:

Using curl reach dashboard from ubun1807 (192.168.42.157/24)
Using curl reach dashboard from houston (192.168.0.11/24)
Using curl reach dashboard from ubun1811 (192.168.42.161/24) by specifying its IP, not its DNS hostname, and not localhost, either, of course.

The remaining problem that I am still having is this: Using Chome, when I open it to http://ubun1811:8011, I got curl output dump, no web pages displayed, Using IE, when I open it to http://ubun1811:8011, “cannot reach this page” error remains

I will continue trouble-shooting and see what’s missing in my dashboard. Let anyone can shed a light on the remaining issue for me, it would be greatly appreciated!

tonydshen on Apr 23, 2019

If you just want to accept arbitrary hosts, then you can do something like --accept-hosts="^.*$" instead of --disable-filter=true. It looks like disabling filter also disables anything you specify for --accept-paths, --reject-methods, and --reject-paths which you’ll probably want to configure a bit if you’re accepting arbitrary hosts

ckw017 on Jul 26, 2021

Thanks, @lloverarcpedro, passing --disable-filter=true worked for me as well, for accessing the dashboard a microk8s setup on an off-host VM.

mikepurvis on Mar 10, 2021

I’m assuming that this Forbidden error comes from apiserver and is not related to Dashboard at all. Try to access some other application through service proxy i.e. http://localhost:8001/api/v1/namespaces/kube-system/services/grafana/proxy/. If you will see the same error then you have to configure your cluster and cluster user properly first, before accessing any applications.

floreks on Feb 22, 2018

My issue is I installed the Kubernetes cluster in the ubuntu 18.04 LTS server and complete all the necessary process required to use the Kubernetes dashboard I started kubelet proxy to my VM’s IP address (kubelet proxy --address=192.168.x.xxx) and trying to access in windows chrome browser. but unable to access. it saying forebidden.

vishaljadhav21 on May 28, 2021

I was also suffering from this problem, and was able to solve it. The root cause is that the file /etc/kubernetes/manifests/kube-apiserver.yaml had an env: section where the proxy environment variables were set. kubectl proxy is going via the API server, so any subsequent requests by the API server reverse proxy were using the defined proxy server (and possibly ignoring the no_proxy setting). Given that the API server doesn’t usually need to use an external proxy for anything, the solution was to simply delete the env: section from kube-apiserver.yaml and then run sudo systemctl restart kubelet to trigger the launch of a fresh non-proxy-using API server.

dhague on Apr 10, 2018