-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Response "Unauthorized" #692
Comments
Can you |
Hi bryk, I found the issue here. I was using the kubectl proxy command as noted above on an ubuntu server, specifying the IP address in the command. I was when pointing a browser on an OSX machine at the ubuntu server's IP. The connection worked, and I got the unauthorized response. I found that if i used "kubectl --port=9090" and then did a wget to localhost, the request worked as it should. This appears to be an issue with the proxy command in kubectl. Or perhaps they intended to limit connections to localhost. I don't believe this is an issue with the web ui. Thanks, |
@ScubaDrew Yeah, that's what I expected. I'm closing this issue. Please reopen if needed. |
I have the same issue .
What can i do, thanks |
Yeah, that's correct that it is moved permanently. Can you open the URL with a browser? |
or
in browser window Unauthorized |
@EamonZhang it only works when the url is localhost. Accessing it via IP address is... Unauthorized by design. |
Server computer have no browser to be used. Thanks |
If your master is publicly accessible you can access it to see the UI: |
I have the master running on a public IP but get unauthorized un http://ip/ui the dashboard pod self is not running on the master node. But another one. How do I expose the UI? any hints? |
I have the same issue as hwinkel above. Just installed K8 and the dashboard per https://github.com/kubernetes/dashboard#kubernetes-dashboard I get the 'unauthorized" message when accessing https:///ui I am using a mozilla browser from a windows client, so the kubectl proxy approach doesn't seem appropriate. What I am missing here? |
Same here running 1.4 installed it following the guide at http://kubernetes.io/docs/getting-started-guides/kubeadm/. However when installing the dashboard/UI it seems to be running but get an "Unauthorized" Followed the guide at http://kubernetes.io/docs/user-guide/ui/ to install the UI basically just run "kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml"
@natejoebott are you running 1.4? |
Right, I too installed it via the beta version of Kubeadm with 1.4. Upon further investigation this may be expected behavior based upon the limitation number 4 - There is not yet an easy way to generate a kubeconfig file which can be used to authenticate to the cluster remotely with kubectl. |
Are people expecting the dashboard to be publicly available without auth? If this were really the case, everyone would be exposing write access for their cluster to the anonymous world. Unless I'm missing a detail here? |
No, but there doesn't seem to be simple way to auth. In the documentation for the dashboard, it provides the follow guidance after installation: I was not prompted for a password, nor does the kubectl config view provide any indication of a password. Next up is using the alternative proxy method; however, only localhost can be used - http://localhost:8001/ui - thus unless you are using a mac or linux host where the kubectl proxy script was invoked will this work. |
Presumably you're using client-cert auth then if there's no password/token in
(I'm working on an example of how you can run a reverse-proxy with auth in front of the dashboard that should make things like this easier.) |
Can you share any details here? I'd love us to incorporate something like this to default install, so that folks can expose the UI to external world. |
This is the idea: kubernetes-retired/contrib#1492. I still haven't had time to put the |
All right. Share anything you make work :) We need to explore all possible solutions, because, eventually, we need to bake a solution to this into Dashboard. |
Heya, so we are all actively commenting on an issue that is closed since May .. begs the question as to whether this issue is Closed? (Maybe a scope change...) Here's where we are at, total newbs:
So since this is my first time on a test cluster I can do this: Maybe helpful would be a pointer on how to add a username/password in the Usage section at https://github.com/kubernetes/dashboard#kubernetes-dashboard |
What URL did you try to hit after running |
From my workstation, to external IP of kubernetes cluster Master: From localhost on kubernetes cluster Master: |
And what happens if you try, after running |
Workstation -> http://10.10.1.188:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=_all -> Unauthorized Kubenetes Master |
@dannyman I got the same problem. So, i try using NodePort and it's work. I can use dashboard right now on the browser.
|
something seems weird here... If I port forward from mac over ssh the browser loads gui but 403s all data. It would seem, if we (the clients/users/admins of k8 cluster) firewall off the proxy port from outside world, but port forward over ssh, that allowing fully GUI dashboard access would be pretty reasonable, security thinking-wise? |
That only makes sense with RBAC disabled. I'm not sure why the dashboard 403s when not authenticating even though is not required. If RBAC is enabled (which it is with e.g. kubeadm 1.6), you'll need a way to authenticate as a client, and that is what |
I have go through this very long thread and yet haven't found a solution for my case. In my scenario, I have a kube cluster with 3 nodes, and they're deployed on VMs that have no monitors attached, neither I want to use X11 to forward it. This is what I need:
But now I did this |
thanks @praseodym for the info. i just spent 3 days in a black hole trying to sort out kubectl v1.6.1 "client" issue compared to working v1.6.0 on sun/mon, bleah! (my ops team has an over-aggressive firewall so made sorting out issues a super challenge..) (i can get my admin.conf on my laptop and kubectl proxy with it and seems like is connecting -- but same kind of "instantly hides access to the details" (same denied stuff as with trying to port forward a proxy from the server). so i'm probably close!) |
I installed k8s using kubeadm in https://kubernetes.io/docs/getting-started-guides/kubeadm/. I wanted to run kubectl proxy on the master, and access the k8s API from a different host (not the master) using the IP address (not localhost) of the master. 172.18.7.245 is the IP address of my master, and after doing kubectl proxy --port=8181 --address=172.18.7.245 --accept-hosts='^*$' & on the master, I was able to successfully access the k8s API from a different host (with IP address 172.18.7.246 and that pings the master 172.18.7.245) using curl http://172.18.7.245:8181/api/v1 curl http://localhost:8080/api/v1 this works for my case |
Finally both below works for me cause you need to ensure master can ping pod from worker node, I found that somehow --iface not to be loaded to start the kube-flannel pod as I am using vagrant. use kubectl replace -f kube-flannel.yml --force thus to delete and recreate the source.
|
@zhuroy Thank you so much for the free time you gave me, I have tried it and it works: kubectl proxy --address xxx.xx.xx.xx --port=2087 --accept-hosts='^*$' I access with the browser http://xxx.xx.xx.xx:2087/ui automatically leads to |
Closing as stale. |
EASY ANSWER |
I've not tried to configure Apache (or Nginx) web server. Instead, the following works for me
|
kubectl proxy |
The "Unauthorized" error can be fixed using the
|
@colemickens the documentation doesn't say to run And that would also mean you need a copy of |
From docs:
@naisanza it is not stated because it can be run from any machine and we do not want to suggest anything, and not to make user think that some machine is the only one he can run it from. Only requirements are PS. Master node does not require |
@naisanza The reason I mention it is:
The 2b option is suggested throughout this thread but that means that anyone in the world could then start writing to your cluster. The more secure option is to run I think there are additional options now that kube-dashboard offers some alternative authentication options, but that was my reason for recommendation in this thread. |
hi @miguelcastilho , |
I was able to get this working. Hence, sharing it for anyone interested. BACKGROUND: K8s master on ubuntu VM. Couldn't access dashboard from my local machine (Windows 10). Solution: Note: I had to WinSCP and copy over the cert files from ~/kube/certs/ on the ubuntu VM. Thereafter,
Enjoy!!! |
I try following way to get this working.
|
then access |
@soolaugust got me working with There really should be something more obvious like |
Great! |
Hello, I am a newbie on Kubernetes. I am running Kubernetes and minikube on Ubuntu server 16.04 I ran
I don't understand that error. Here is my ip addresses
How can I solve it? |
hi , |
Issue details
I followed the steps to install and setup the proxy as detailed in the README.md
When I point my webbrowser at the proxy address I just get back an "unauthorized" response.
Environment
Dashboard version: latest as of 5/28/16
Kubernetes version: 1.2.2
Operating system: core
Steps to reproduce
All other kubectl commands work correctly.
kubectl cluster-info
Kubernetes master is running at https://kub2.drewoconnor.com
Heapster is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/heapster
KubeDNS is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/kube-dns
kubernetes-dashboard is running at https://kub2.drewoconnor.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard
Observed result
Unauthorized
Expected result
Dashboard
The text was updated successfully, but these errors were encountered: