Kubernetes Dashboard "is forbidden" all over the site

Question

I get "is forbidden" all over the dashboard site in Kubernetes*(See image)

To reproduce:

1. Create a Google Kubernetes Cluster via the site, not from shell.

2. Select Kubernetes version 1.8.6

3. Open shell via the connect button: gcloud container clusters get-credentials cluster-1 --zone us-central1-a --project awear-cloud

4. Kubectl proxy

5. echo http://127.0.0.1:8001/ui
6. click the link from echo

Note: also tried: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Do you know why?

Answer 1

1 - Create a file sa.yaml and paste the contents below into it.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system

2 - Apply it - kubectl apply -f sa.yaml

3 - Create a file rbac.yaml and paste the contents below into it.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

4 - Apply it - kubectl apply -f rbac.yaml

5 - Now, login to your dashboard.

Let me know if this works.

Answer 2

It looks like your cluster is RBAC enabled and the dashboard is missing a service account defined in the dashboard pod(s). You should be able to easily mitigate this issue by adding this SA and it's Roles/Bindings. Why is it not created in the first place is a mystery for me, unless you maybe specified something like ie. legacy auth.