I deployed a Dashboard with: https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
I could create an user that can access the resources, but I have to log in with a token, I used: https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html
Then I wanted to log in without authentication, so I used: kubectl patch deployment kubernetes-dashboard -n kubernetes-dashboard --type ‘json’ -p ‘[{“op”: “add”, “path”: “/spec/template/spec/containers/0/args/-”, “value”: “–enable-skip-login”}]’
Then I can log-in skipping the authentication but the default user (or Service Account?) can’t see any resource (nodes, pods, services…)
Can you help me give permissions to the default user?
Thanks.
I expect all rescources to be shown on the Dashboard.
Related
I am trying to create an end point for an API to be deployed into existing GKE cluster by following the instructions in Getting started with Cloud Endpoints for GKE with ESPv2
I clone the sample code in the repo and modified the content of openapi.yaml:
# [START swagger]
swagger: "2.0"
info:
description: "A simple Google Cloud Endpoints API example."
title: "Endpoints Example"
version: "1.0.0"
host: "my-api.endpoints.my-project.cloud.goog"
I then deployed it via the command:
endpoints/getting-started (master) $ gcloud endpoints services deploy openapi.yaml
Now I can see that it has been created:
$ gcloud endpoints services list
NAME TITLE
my-api.endpoints.my-project.cloud.goog
I also have postgreSQL service account:
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
my-postgresql-service-account my-postgresql-service-acco#my-project.iam.gserviceaccount.com False
In the section Endpoint Service Configuration of documentation it says to add the role to the attached service account for the endpoint service as follows, but I get this error:
$ gcloud endpoints services add-iam-policy-binding my-api.endpoints.my-project.cloud.goog
--member serviceAccount:my-postgresql-service-acco#my-project.iam.gserviceaccount.com
--role roles/servicemanagement.serviceController
ERROR: (gcloud.endpoints.services.add-iam-policy-binding) User [myusername#mycompany.com] does not have permission to access services instance [my-api.endpoints.my-project.cloud.goog:getIamPolicy] (or it may not exist): No access to resource: services/my-api.my-project.cloud.goog
The previous lines show the service exits, I guess? Now I am not sure how to resolve this? What permissions do I need? who can give me permission and what permissions he should have? how can I check? Is there any other solution?
The issue got resolved after I was assigned the role of "Project_Admin". It was not ideal as it was giving too much permission to me. The role "roles/endpoints.portalAdmin" was also tried but did not help.
Is it possible to configure a custom password for the Kubernetes dashboard when using eks without customizing "kube-apiserver"?
This URL mentions changes in "kube-apiserver"
https://techexpert.tips/kubernetes/kubernetes-dashboard-user-authentication/
In K8s, requests come as Authentication and Authorization (so the API server can determine if this user can perform the requested action). K8s dont have users, in the simple meaning of that word (Kubernetes users are just strings associated with a request through credentials). The credential strategy is a choice you make while you install the cluster (you can choose from x509, password files, Bearer tokens, etc.).
Without API K8s server automatically falls back to an anonymous user and there is no way to check if provided credentials are valid.
You can do something like : not tested
Create a new credential using OpenSSL
export NEW_CREDENTIAL=USER:$(echo PASSWORD | openssl passwd -apr1
-noverify -stdin)
Append the previously created credentials to
/opt/bitnami/kubernetes/auth.
echo $NEW_CREDENTIAL | sudo tee -a /opt/kubernetes/auth
Replace the cluster basic-auth secret.
kubectl delete secret basic-auth -n kube-system
kubectl create secret generic basic-auth --from-file=/opt/kubernetes/auth -n kube-system
I just started using OpenShift and have permissions problems. I am on the free trial for OpenShift 4.3.3 and cannot get my containers to run as root. I am the only user on my instance and I have admin, but it says I need cluster-admin to run the containers as root?
I tried running:
oc policy add-role-to-group cluster-admin anyuid
and that returned:
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "cluster-admin" is forbidden: user "hustlin" (groups=["system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["*"], Resources:["*"], Verbs:["*"]}
{NonResourceURLs:["*"], Verbs:["*"]}
Going through OpenShift Online -> Administrator view -> User Management -> Roles -> cluster-admin -> Role Bindings, it states:
Restricted Access
You don't have access to this section due to cluster policy.
Error details
rolebindings.rbac.authorization.k8s.io is forbidden: User "hustlin" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
I feel like it should not be this difficult for me to run a container as root. Just testing out OpenShift and I haven't been able to successfully run a single container on the platform, they all eventually go to CrashLoopBackOff.
Yes, I did try the:
oc login -u system:admin
command and it prompted me for my password before returning:
error: username system:admin is invalid for basic auth
I even tried following this guide from the OpenShift blog, but it would not recognize oadm.
There are many guides, answers, etc... that specifically show how to enable the kubernetes dashboard, and several that attempt to explain how to remotely access them, but many have an issue with regard to accepting the token once you get to the login screen.
The problem as I understand it is that the service does not (rightfully) accept remote tokens over http. Even though I can get to the login screen I can't get into the dashboard due to the inability to use the token. How can I get around this limitation?
Taken from https://www.edureka.co/community/31282/is-accessing-kubernetes-dashboard-remotely-possible:
you need to make the request from the remote host look like it's coming from a localhost (where the dashboard is running):
From the system running kubernetes / dashboard:
Deploy the dashboard UI:
kubectl apply -f
https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta6/aio/deploy/recommended.yaml
Start the proxy:
kubectl proxy&
Create a secret:
kubectl create serviceaccount [account name]
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=default:[account name]
kubectl get secret
kubectl describe secret [account name]
From the system you wish to access the dashboard:
Create an ssh tunnel to the remote system (the system running the dashboard):
ssh -L 9999:127.0.0.1:8001 -N -f -l [remote system username] [ip address of remote system] -P [port you are running ssh on]
You will likely need to enter a password unless you are using keys. Once you've done all this, from the system you established the ssh connection access http://localhost:9999/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
You can change the port 9999 to anything you'd like.
Once you open the browser url, copy the token from the "describe secret" step and paste it in.
I created a cluster with kubeadm (well it's just a single node / master for now) however I seem to be having issues with authenticating as the admin user.
KUBECONFIG=/etc/kubernetes/kubelet.conf kubectl get sa
No resources found.
Error from server (Forbidden): serviceaccounts is forbidden: User "system:node:osboxes" cannot list serviceaccounts in the namespace "default": disabled by feature gate TokenRequest
I'm assuming that is the admin user? If not, where can I find it / authenticate with it?
Found it: export KUBECONFIG=/etc/kubernetes/admin.conf