How to access Kubernetes Dashboard from outside network

Question

I am trying to access the kubernetes Dashboard using the Token method outside the network.

I ran these 2 commands to get the token

kubectl -n kube-system get secret

kubectl -n kube-system describe secret replicaset-controller-token-2p4fk

Copy paste output token into K8 Login page.

I'm getting this error browser console when I click on Sign in button (Page is not loading).

I'm running k8 on the internal server using the command:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

And trying to access the k8 UI console from outside network.

Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Error during global settings reload:  Object
:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/rbac/status:1 Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Possibly unhandled rejection: {"data":"MSG_LOGIN_UNAUTHORIZED_ERROR\n","status":401,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"api/v1/rbac/status","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":"Unauthorized","xhrStatus":"complete","resource":{}}

I even tried these steps but no luck the page is not loading on clicking Sign in button.

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWN

Here is my Kube/config file

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRV..
    server: https://192.168.15.97:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBD..
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJ..

And why is that I'm not seeing Skip auth button next to Sign button?

I tried these steps as well:

Run the following commands:

1. This command will create a service account for the dashboard in the default namespace

   $kubectl create serviceaccount dashboard -n default

2. This command will add the cluster binding rules to your dashboard account

   kubectl create clusterrolebinding dashboard-admin -n default \ --clusterrole=cluster-admin \ --serviceaccount=default:dashboard

3. This command will give you the token required for your dashboard login

   $kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode Can some help me here what am i missing out.

Some Findings: Link kubectl proxy command only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.

kubectl proxy

Doesn't support https calls.

Is there a way to run kubectl proxy command along with Kubernetes Server IP Address from an outside/Local windows network ?

Note: The local system is a Windows 10 & K8 is a Linux server. Docker Version: 18.09 & k8 Version: v1.13.1

Thanks,

Answer 1

I have this issue when I try to get access to the dashboard via kubectl proxy using plain http and public ip.

Error details: kubectl proxy produces errors http: proxy error: context canceled in console, in browser after you click "sign in" one of the requests which ends with /plugin/config returns json with MSG_LOGIN_UNAUTHORIZED_ERROR but the browser doesn't display any error.

The solution (source)

kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8443:443 --address 0.0.0.0

Of course you can use your interface ip instead of 0.0.0.0 if you want to bind it to one interface only. Then go to https://your.external.ip:8443/, it'll redirect you to https://your.external.ip:8443/#/login and you'll be asked for the token. Next, as described here:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret \
| awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'

Answer 2

https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above

I have a note:

The Dashboard should not be exposed publicly using kubectl proxy command as it only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.

Answer 3

In case you have ssh access to the Kubernetes, you can execute on the machine running the cluster:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

And then create a local port forwarding:

ssh -L:8001:XXX.XXX.XXX.XXX:8001 [email protected]

where username is your username using to connect to the machine and XXX.XXX.XXX.XXX is the IP address of the master node. Then you would be able to pass the token and access the dashboard.

Of course, this is a very dirty trick and I would hardly advise against using it in a production environment.