We Keep Coding

Docker registry created not accessible inside cluster

I am using a EKS cluster over aws
I have create docker registry as a deployment and then created a svc and an ingress over it
In the ingress , I have placed tls secrets for the ingress Host
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.org/client-max-body-size: "0"
creationTimestamp: "2021-06-18T05:10:02Z"
generation: 1
name: registry-ingress
namespace: devops
resourceVersion: "4126584"
selfLink: /apis/extensions/v1beta1/namespaces/devops/ingresses/registry-ingress
uid: d808177b-cb0b-4da2-82aa-5ab2f3c99109
spec:
rules:
- host: docker-registry.xxxx.com
http:
paths:
- backend:
serviceName: docker-registry
servicePort: 5000
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- docker-registry.xxxx.com
secretName: tls-registry
I have 4 worker nodes and a jump server
Issue I am facing is that I am able to access the docker registry on ingress address from the jump host but from worker nodes it is failing with error , so when i create any pods with images from registry they also fail with below error
Worker and Jump host are in same subnet
request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
I have tried placing the service IP and the registry ingress host in /etc/hosts copying the certs to /etc/docker.certs.d/registryname .
Any hint would be great
Cluster information:
Kubernetes version: v1.19.8-eks-96780e
kubectl version o/p :
Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-eks-6b7464", GitCommit:"6b746440c04cb81db4426842b4ae65c3f7035e53", GitTreeState:"clean", BuildDate:"2021-03-19T19:35:50Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/arm64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.8-eks-96780e", GitCommit:"96780e1b30acbf0a52c38b6030d7853e575bcdf3", GitTreeState:"clean", BuildDate:"2021-03-10T21:32:29Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Cloud being used: AWS
Installation method: EKS
EDIT 1
I checked on one worker node to find the CRI , kubelet process is as below , so I think CRI is docker
/usr/bin/kubelet --cloud-provider aws --config /etc/kubernetes/kubelet/kubelet-config.json --kubeconfig /var/lib/kubelet/kubeconfig --container-runtime docker
but i did see both dockerd and containerd processes running on the worker node.
Also on checking the docker service logs I got same error.
Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-06-14 08:31:57 UTC; 4 days ago
Docs: https://docs.docker.com
Process: 12574 ExecStartPre=/usr/libexec/docker/docker-setup-runtimes.sh (code=exited, status=0/SUCCESS)
Process: 12571 ExecStartPre=/bin/mkdir -p /run/docker (code=exited, status=0/SUCCESS)
Main PID: 12579 (dockerd)
Tasks: 23
Memory: 116.5M
CGroup: /system.slice/docker.service
└─12579 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
Jun 19 02:23:45 ip-xxxxx dockerd[12579]: time=“2021-06-19T02:23:45.876987774Z” level=error msg=“Handler for POST /v1.40/images/create returned error: Get https://xxxx: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”

How to monitor application running in a Kubernetes cluster from a remote Promethues server

My goal is to monitor application running in a Kubernetes cluster from a remote Prometheus server. Based on: https://medium.com/#amjadhussain3751/monitor-remote-kubernetes-cluster-using-prometheus-a3781b041745
I did:
Create a service account which has permissions to read and watch the pods.
Generate token from the service account.
I put the token in the prometheus.yaml as describe in the post:
-------
- job_name: kubernetes-service-endpoints
scrape_interval: 15s
scrape_timeout: 10s
metrics_path: /metrics
scheme: http
kubernetes_sd_configs:
- api_server: http://kk-kk-0-73.mycompany.com:6443
role: endpoints
tls_config:
insecure_skip_verify: true
bearer_token: "ZXlKaGJHY2lP ......NJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHB0YjI1cGRHOXlhVzVuT25CeWIyMHRiVzl1TFdGalkzUWlmUS5WY2tCNlkxUVE1cmRUZGRLVGVnVzBRMVhfR0t1dFBKYWpybkNybnZLQkgtTjFlWjV0bklvcmJONFBXdTA3TWFNMXp2Z3pJd3JmS2h1RG02M0hyVkJocjA0QW5xY3FLXzBfTDE5cXc5TEUwX0pINXgycmhHeWtHc0Jmd0xTVWVSWTZCY1JES2d2TGJ5QmhIVG1qU0QxcjRHUXI0TVlvSmtldUk5bTNpdG9hX2ZqLVpaNjVCNll2eUVFOUxLQ01RWVpNV1FZczgteE1hWUJYejUwQXdnSElPS3E3NEpuNkdFODB4cjRMZUpYNXMwbDUzTmpIY3FPMVRGMDBfbDM1VnZpSlZqR3VXNmNFRXhYaDhNZ3RNV3M3SlQ0a0pvNkFDNWhCLW1VQjJtNHJlLXMxcU1qNVc5X2FRZ2dGc3gtNGlKU285bG0zRi15SS1uNFg3YVFnbGNWQ3c="
namespaces:
names: []
bearer_token: "ZXlKaGJHY2l ..... 0T1RjMk9TSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHB0YjI1cGRHOXlhVzVuT25CeWIyMHRiVzl1TFdGalkzUWlmUS5WY2tCNlkxUVE1cmRUZGRLVGVnVzBRMVhfR0t1dFBKYWpybkNybnZLQkgtTjFlWjV0bklvcmJONFBXdTA3TWFNMXp2Z3pJd3JmS2h1RG02M0hyVkJocjA0QW5xY3FLXzBfTDE5cXc5TEUwX0pINXgycmhHeWtHc0Jmd0xTVWVSWTZCY1JES2d2TGJ5QmhIVG1qU0QxcjRHUXI0TVlvSmtldUk5bTNpdG9hX2ZqLVpaNjVCNll2eUVFOUxLQ01RWVpNV1FZczgteE1hWUJYejUwQXdnSElPS3E3NEpuNkdFODB4cjRMZUpYNXMwbDUzTmpIY3FPMVRGMDBfbDM1VnZpSlZqR3VXNmNFRXhYaDhNZ3RNV3M3SlQ0a0pvNkFDNWhCLW1VQjJtNHJlLXMxcU1qNVc5X2FRZ2dGc3gtNGlKU285bG0zRi15SS1uNFg3YVFnbGNWQ3c="
relabel_configs:
----
When I start my prometheus, I got errors as the followings
---
level=error ts=2021-04-29T20:51:27.255Z caller=klog.go:104 component=k8s_client_runtime func=Errorf msg="Unexpected error when reading response body: read tcp pm.pm.pm.15:51652->kk.kk.0.73:6443: read: connection reset by peer"
level=error ts=2021-04-29T20:51:27.256Z caller=klog.go:96 component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go#v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: unexpected error when reading response body. Please retry. Original error: read tcp pm.pm.pm.15:51652->kk.kk.0.73:6443: read: connection reset by peer"
level=debug ts=2021-04-29T20:51:27.445Z caller=klog.go:55 component=k8s_client_runtime func=Verbose.Infof msg="Listing and watching *v1.Endpoints from pkg/mod/k8s.io/client-go#v0.20.2/tools/cache/reflector.go:167"
level=debug ts=2021-04-29T20:51:27.495Z caller=klog.go:72 component=k8s_client_runtime func=Infof msg="GET http://kk.kk.0-73.mycommany.com:6443/api/v1/endpoints?limit=500&resourceVersion=0 400 Bad Request in 49 milliseconds"
level=error ts=2021-04-29T20:51:27.495Z caller=klog.go:104 component=k8s_client_runtime func=Errorf msg="Unexpected error when reading response body: read tcp pm.pm.pm.15:51654->kk.kk.0.73:6443: read: connection reset by peer"
level=error ts=2021-04-29T20:51:27.495Z caller=klog.go:96 component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go#v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Endpoints: failed to list *v1.Endpoints: unexpected error when reading response body. Please retry. Original error: read tcp pm.pm.pm.15:51654->kk.kk.0.73:6443: read: connection reset by peer"
---
Note: the following represents the ip address of my prometheus server and k8s master node ip
prometheus server ip: pm.pm.pm.15
K8s cluster master node ip: kk.kk.0.73
btw telnet from pm.pm.pm.15 to kk.kk.0.73:6443 is good.
Did I set the parameters correctly? How to troubleshoot? Any suggestions appreciated.
-dsun
some contents of my object config yaml
--- service_account.yaml ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prom-mon-acct
namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-mon-acct-rb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prom-mon-acct
namespace: monitoring
----cluster_role.yaml ---
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- nodes/proxy
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups:
- extensions
resources:
- ingresses
verbs: ["get", "list", "watch"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
[update 1]
last few line from: kubectl logs kube-apiserver-kk-kk-0-73.mycomoany.com -n kube-system
....
I0429 22:30:36.256704 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
I0429 22:31:18.638120 1 client.go:360] parsed scheme: "passthrough"
I0429 22:31:18.638164 1 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{https://127.0.0.1:2379 <nil> 0 <nil>}] <nil> <nil>}
I0429 22:31:18.638175 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
I0429 22:31:56.333614 1 client.go:360] parsed scheme: "passthrough"
I0429 22:31:56.333660 1 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{https://127.0.0.1:2379 <nil> 0 <nil>}] <nil> <nil>}
I0429 22:31:56.333671 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
I0429 22:32:38.907517 1 client.go:360] parsed scheme: "passthrough"
I0429 22:32:38.907560 1 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{https://127.0.0.1:2379 <nil> 0 <nil>}] <nil> <nil>}
I0429 22:32:38.907570 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
I0429 22:33:14.696739 1 client.go:360] parsed scheme: "passthrough"
I0429 22:33:14.696781 1 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{https://127.0.0.1:2379 <nil> 0 <nil>}] <nil> <nil>}
I0429 22:33:14.696792 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
[update 2]
test with: # curl -X GET $YOUR_API_SERVER/api --header "Authorization: Bearer $YOUR_TOKEN" and using https instead of http
NAMESPACE NAME TYPE DATA AGE
default default-token-j2bvm kubernetes.io/service-account-token 3 4d14h ---> token from this account is working with curl api server, but don't have list pod privs
monitoring prom-mon-acct-token-4fchr kubernetes.io/service-account-token 3 19h ---> token from this service account not working with curl api server
I know prom-mon-acct service account has list pod privs, need to figure out how to make it able to talk to API.

Kubernetes nginx ingress controller kills connections

I am a newbie to k8s and I am trying to deploy a private docker registry in Kubernetes.
The problem is that whenever I have to upload a heavy image (1GB size) via docker push, the command eventually returns EOF.
Apparently, I believe the issue has to do with kubernetes ingress nginx controller.
I will provide you with some useful information, in case you need more, do not hesitate to ask:
Docker push (to internal k8s docker registry) fail:
[root#bastion ~]# docker push docker-registry.apps.kube.lab/example:stable
The push refers to a repository [docker-registry.apps.kube.lab/example]
c0acde035881: Pushed
f6d2683cee8b: Pushed
00b1a6ab6acd: Retrying in 1 second
28c41b4dd660: Pushed
36957997ca7a: Pushed
5c4d527d6b3a: Pushed
a933681cf349: Pushing [==================================================>] 520.4 MB
f49d20b92dc8: Retrying in 20 seconds
fe342cfe5c83: Retrying in 15 seconds
630e4f1da707: Retrying in 13 seconds
9780f6d83e45: Waiting
EOF
Ingress definition:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: docker-registry
namespace: docker-registry
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
spec:
rules:
- host: docker-registry.apps.kube.lab
http:
paths:
- backend:
serviceName: docker-registry
servicePort: 5000
path: /
Docker registry configuration (/etc/docker/registry/config.yml):
version: 0.1
log:
level: info
formatter: json
fields:
service: registry
storage:
redirect:
disable: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
host: docker-registry.apps.kube.lab
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
Docker registry logs:
{"go.version":"go1.11.2","http.request.host":"docker-registry.apps.kube.lab","http.request.id":"c079b639-0e8a-4a27-96fa-44c4c0182ff7","http.request.method":"HEAD","http.request.remoteaddr":"10.233.70.0","http.request.uri":"/v2/example/blobs/sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","http.request.useragent":"docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))","level":"debug","msg":"authorizing request","time":"2020-11-07T14:43:22.893626513Z","vars.digest":"sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","vars.name":"example"}
{"go.version":"go1.11.2","http.request.host":"docker-registry.apps.kube.lab","http.request.id":"c079b639-0e8a-4a27-96fa-44c4c0182ff7","http.request.method":"HEAD","http.request.remoteaddr":"10.233.70.0","http.request.uri":"/v2/example/blobs/sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","http.request.useragent":"docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))","level":"debug","msg":"GetBlob","time":"2020-11-07T14:43:22.893751065Z","vars.digest":"sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","vars.name":"example"}
{"go.version":"go1.11.2","http.request.host":"docker-registry.apps.kube.lab","http.request.id":"c079b639-0e8a-4a27-96fa-44c4c0182ff7","http.request.method":"HEAD","http.request.remoteaddr":"10.233.70.0","http.request.uri":"/v2/example/blobs/sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","http.request.useragent":"docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))","level":"debug","msg":"filesystem.GetContent(\"/docker/registry/v2/repositories/example/_layers/sha256/751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee/link\")","time":"2020-11-07T14:43:22.893942372Z","trace.duration":74122,"trace.file":"/go/src/github.com/docker/distribution/registry/storage/driver/base/base.go","trace.func":"github.com/docker/distribution/registry/storage/driver/base.(*Base).GetContent","trace.id":"11e24830-7d16-404a-90bc-8a738cab84ea","trace.line":95,"vars.digest":"sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","vars.name":"example"}
{"err.code":"blob unknown","err.detail":"sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","err.message":"blob unknown to registry","go.version":"go1.11.2","http.request.host":"docker-registry.apps.kube.lab","http.request.id":"c079b639-0e8a-4a27-96fa-44c4c0182ff7","http.request.method":"HEAD","http.request.remoteaddr":"10.233.70.0","http.request.uri":"/v2/example/blobs/sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","http.request.useragent":"docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"1.88607ms","http.response.status":404,"http.response.written":157,"level":"error","msg":"response completed with error","time":"2020-11-07T14:43:22.894147954Z","vars.digest":"sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee","vars.name":"example"}
10.233.105.66 - - [07/Nov/2020:14:43:22 +0000] "HEAD /v2/example/blobs/sha256:751620502a7a2905067c2f32d4982fb9b310b9808670ce82c0e2b40f5307a3ee HTTP/1.1" 404 157 "" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))"
I believe the issue has to do with ingress controller because when EOF error shows up, there is something weird in ingress-controller logs:
10.233.70.0 - - [07/Nov/2020:14:43:41 +0000] "PUT /v2/example/blobs/uploads/dab984a8-7e71-4481-91fb-af53c7790a20?_state=usMX2WH24Veunay0ozOF-RMZIUMNTFSC8MSPbMcxz-B7Ik5hbWUiOiJleGFtcGxlIiwiVVVJRCI6ImRhYjk4NGE4LTdlNzEtNDQ4MS05MWZiLWFmNTNjNzc5MGEyMCIsIk9mZnNldCI6NzgxMTczNywiU3RhcnRlZEF0IjoiMjAyMC0xMS0wN1QxNDo0MzoyOFoifQ%3D%3D&digest=sha256%3A101c41d0463bc77661fb3343235b16d536a92d2efb687046164d413e51bd4fc4 HTTP/1.1" 201 0 "-" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))" 606 0.026 [docker-registry-docker-registry-5000] [] 10.233.70.84:5000 0 0.026 201 06304ff584d252812dff016374be73ae
172.16.1.123 - - [07/Nov/2020:14:43:42 +0000] "HEAD /v2/example/blobs/sha256:101c41d0463bc77661fb3343235b16d536a92d2efb687046164d413e51bd4fc4 HTTP/1.1" 200 0 "-" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))" 299 0.006 [docker-registry-docker-registry-5000] [] 10.233.70.84:5000 0 0.006 200 a5a93c7b7f4644139fcb0697d3e5e43f
I1107 14:44:05.285478 6 main.go:184] "Received SIGTERM, shutting down"
I1107 14:44:05.285517 6 nginx.go:365] "Shutting down controller queues"
I1107 14:44:06.294533 6 status.go:132] "removing value from ingress status" address=[172.16.1.123]
I1107 14:44:06.306793 6 status.go:277] "updating Ingress status" namespace="kube-system" ingress="example-ingress" currentValue=[{IP:172.16.1.123 Hostname:}] newValue=[]
I1107 14:44:06.307650 6 status.go:277] "updating Ingress status" namespace="kubernetes-dashboard" ingress="dashboard" currentValue=[{IP:172.16.1.123 Hostname:}] newValue=[]
I1107 14:44:06.880987 6 status.go:277] "updating Ingress status" namespace="test-nfs" ingress="example-nginx" currentValue=[{IP:172.16.1.123 Hostname:}] newValue=[]
I1107 14:44:07.872659 6 status.go:277] "updating Ingress status" namespace="test-ingress" ingress="example-ingress" currentValue=[{IP:172.16.1.123 Hostname:}] newValue=[]
I1107 14:44:08.505295 6 queue.go:78] "queue has been shutdown, failed to enqueue" key="&ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ClusterName:,ManagedFields:[]ManagedFieldsEntry{},}"
I1107 14:44:08.713579 6 status.go:277] "updating Ingress status" namespace="docker-registry" ingress="docker-registry" currentValue=[{IP:172.16.1.123 Hostname:}] newValue=[]
I1107 14:44:09.772593 6 nginx.go:373] "Stopping admission controller"
I1107 14:44:09.772697 6 nginx.go:381] "Stopping NGINX process"
E1107 14:44:09.773208 6 nginx.go:314] "Error listening for TLS connections" err="http: Server closed"
2020/11/07 14:44:09 [notice] 114#114: signal process started
10.233.70.0 - - [07/Nov/2020:14:44:16 +0000] "PATCH /v2/example/blobs/uploads/adbe3173-9928-4eb5-97bb-7893970f032a?_state=nEr2ip9eoLNCTe8KQ6Ck7k3C8oS9IY7AnBOi1_f5mSl7Ik5hbWUiOiJleGFtcGxlIiwiVVVJRCI6ImFkYmUzMTczLTk5MjgtNGViNS05N2JiLTc4OTM5NzBmMDMyYSIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyMC0xMS0wN1QxNDo0MzoyOC45ODY3MTQwNTlaIn0%3D HTTP/1.1" 202 0 "-" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))" 50408825 46.568 [docker-registry-docker-registry-5000] [] 10.233.70.84:5000 0 14.339 202 55d9cab4f915f54e5c130321db4dc8fc
10.233.70.0 - - [07/Nov/2020:14:44:19 +0000] "PATCH /v2/example/blobs/uploads/63d4a54a-cdfd-434b-ae63-dc434dcb15f9?_state=9UK7MRYJYST--u7BAUFTonCdPzt_EO2KyfJblVroBxd7Ik5hbWUiOiJleGFtcGxlIiwiVVVJRCI6IjYzZDRhNTRhLWNkZmQtNDM0Yi1hZTYzLWRjNDM0ZGNiMTVmOSIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyMC0xMS0wN1QxNDo0MzoyMy40MjIwMDI4NThaIn0%3D HTTP/1.1" 202 0 "-" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))" 51842691 55.400 [docker-registry-docker-registry-5000] [] 10.233.70.84:5000 0 18.504 202 1f1de1ae89caa8540b6fd13ea5b165ab
10.233.70.0 - - [07/Nov/2020:14:44:50 +0000] "PATCH /v2/example/blobs/uploads/0c97923d-ed9f-4599-8a50-f2c21cfe85fe?_state=WmIRW_3owlin1zo4Ms98UwaMGf1D975vUuzbk1JWRuN7Ik5hbWUiOiJleGFtcGxlIiwiVVVJRCI6IjBjOTc5MjNkLWVkOWYtNDU5OS04YTUwLWYyYzIxY2ZlODVmZSIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyMC0xMS0wN1QxNDo0MzoyMC41ODA5MjUyNDlaIn0%3D HTTP/1.1" 202 0 "-" "docker/1.13.1 go/go1.10.3 kernel/3.10.0-1127.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))" 192310965 89.937 [docker-registry-docker-registry-5000] [] 10.233.70.84:5000 0 22.847 202 d8971d2f543e936c2f805d5b257f1130
I1107 14:44:50.832669 6 nginx.go:394] "NGINX process has stopped"
I1107 14:44:50.832703 6 main.go:192] "Handled quit, awaiting Pod deletion"
I1107 14:45:00.832892 6 main.go:195] "Exiting" code=0
[root#bastion registry]#
After that happens, ingres-controller pod is not ready, and after some seconds it is again ready.
Is it to do with config reload of kubernetes nginx ingress controller? In such case, do I have to add any special variable to nginx.conf?
Any help is welcome! Kind regards!
EDIT
The moment EOF appears, ingress-nginx crashes, and pods become not ready.
[root#bastion ~]# kubectl get po
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-lbmd6 0/1 Completed 0 5d4h
ingress-nginx-admission-patch-btv27 0/1 Completed 0 5d4h
ingress-nginx-controller-7dcc8d6478-n8dkx 0/1 Running 3 15m
Warning Unhealthy 29s (x8 over 2m39s) kubelet Liveness probe failed: Get http://10.233.70.100:10254/healthz: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
As a consequence, any of my applications are not reachable:
[root#bastion ~]# curl http://hello-worrld.apps.kube.lab
Hello, world!
Version: 1.0.0
Hostname: web-6785d44d5-4r5q5
[root#bastion ~]# date
sáb nov 7 18:58:16 -01 2020
[root#bastion ~]# curl http://hello-worrld.apps.kube.lab
curl: (52) Empty reply from server
[root#bastion ~]# date
sáb nov 7 18:58:53 -01 2020
Is the issue to do with performance of nginx? If so, what options would you recommend me to tweak ingress-nginx?

You should try another Docker registry to ensure its actually caused by ingress. It does not make sense why ingress would fail due to an image size.
You can try JFrog JCR which is free and you could then deploy JCR into your kubernetes and expose it via a LoadBalancer (external ip) or ingress.
You then have the option to verify this way that it is really an ingress issue as you can push a docker image via LoadBalancer (external ip) and if that works but ingress fails you know this is specifically caused by your ingress.
JFrog JCR is also free and available at chartcenter here

Kubernetes - Ingress: Error: connect ECONNREFUSED 127.0.0.1:80

I am trying to run ingress on minikube.
I am running on Ubnutu 18.04.
I am interested in nginx-ingress from:
https://kubernetes.github.io/ingress-nginx/deploy/
I have simple test service which is running on port 3000 inside docker container. This container is pushed to docker hub. I have simple get request there:
app.get('/api/users/currentuser', (req, res) => {
res.send('Hi there!');
});
Steps I've done: minikube start then minikube addons enable ingress after that I got message from minikube:
🔎 Verifying ingress addon...
🌟 The 'ingress' addon is enabled
but still when I am trying to verify if it is running I don't think that this is working fine:
Output from kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-66bff467f8-bhqnk 1/1 Running 4 2d8h
etcd-minikube 1/1 Running 4 2d8h
ingress-nginx-admission-create-676jc 0/1 Completed 0 168m
ingress-nginx-admission-patch-bwf7x 0/1 Completed 0 168m
ingress-nginx-controller-7bb4c67d67-x5qzl 1/1 Running 3 168m
kube-apiserver-minikube 1/1 Running 4 2d8h
kube-controller-manager-minikube 1/1 Running 4 2d8h
kube-proxy-jg2jz 1/1 Running 4 2d8h
kube-scheduler-minikube 1/1 Running 4 2d8h
storage-provisioner 1/1 Running 6 2d8h
There is also no information about ingress when doing kubectl get pods
NAME READY STATUS RESTARTS AGE
auth-depl-7dff4bb675-bpzfh 1/1 Running 0 4m58s
I am running services via skaffold using command skaffold dev
configuration of ingress service looks like:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
rules:
- host: kube-test.dev
http:
paths:
- path: /api/users/?(.*)
backend:
serviceName: auth-srv
servicePort: 3000
which points to deployment file of (host of kube-test.dev is just mapped to localhost in /etc/hosts):
apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-depl
spec:
replicas: 1
selector:
matchLabels:
app: auth
template:
metadata:
labels:
app: auth
spec:
containers:
- name: auth
image: geborskimateusz/auth
---
apiVersion: v1
kind: Service
metadata:
name: auth-srv
spec:
selector:
app: auth
ports:
- name: auth
protocol: TCP
port: 3000
targetPort: 3000
what is more if this does matter skaffold config looks like:
apiVersion: skaffold/v2alpha3
kind: Config
deploy:
kubectl:
manifests:
- ./infra/k8s/*
build:
local:
push: false
artifacts:
- image: geborskimateusz/auth
context: auth
docker:
dockerfile: Dockerfile
sync:
manual:
- src: 'src/**/*.ts'
dest: .
Any ideas here? I was running similar config on mac and it worked fine, this looks more like ingress addon problem. Any ideas here?
when I hit kube-test.dev/api/users/currentuser I get:
Error: connect ECONNREFUSED 127.0.0.1:80
and hosts file:
127.0.0.1 localhost
127.0.1.1 mat-5474
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
127.0.0.1 kube-test.dev
EDIT
kubectl describe pods auth-depl-6845657cbc-kqdm8
Name: auth-depl-6845657cbc-kqdm8
Namespace: default
Priority: 0
Node: minikube/192.168.99.100
Start Time: Tue, 14 Jul 2020 09:51:03 +0200
Labels: app=auth
app.kubernetes.io/managed-by=skaffold-v1.12.0
pod-template-hash=6845657cbc
skaffold.dev/builder=local
skaffold.dev/cleanup=true
skaffold.dev/deployer=kubectl
skaffold.dev/docker-api-version=1.40
skaffold.dev/run-id=fcdee662-da9c-48ab-aab0-a6ed0ecef301
skaffold.dev/tag-policy=git-commit
skaffold.dev/tail=true
Annotations: <none>
Status: Running
IP: 172.17.0.4
IPs:
IP: 172.17.0.4
Controlled By: ReplicaSet/auth-depl-6845657cbc
Containers:
auth:
Container ID: docker://674d4aae381431ff124c8533250a6206d044630135854e43ac70f2830764ce0a
Image: geborskimateusz/auth:2d55de4779465ed71686bffc403e6ad7cfef717e7d297ec90ef50a363dc5d3c7
Image ID: docker://sha256:2d55de4779465ed71686bffc403e6ad7cfef717e7d297ec90ef50a363dc5d3c7
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 14 Jul 2020 09:51:04 +0200
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-pcj8j (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-pcj8j:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-pcj8j
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/auth-depl-6845657cbc-kqdm8 to minikube
Normal Pulled 47s kubelet, minikube Container image "geborskimateusz/auth:2d55de4779465ed71686bffc403e6ad7cfef717e7d297ec90ef50a363dc5d3c7" already present on machine
Normal Created 47s kubelet, minikube Created container auth
Normal Started 47s kubelet, minikube Started container auth
EDIT 2
kubectl logs ingress-nginx-controller-7bb4c67d67-x5qzl -n kube-system
W0714 07:49:38.776541 6 flags.go:249] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W0714 07:49:38.776617 6 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0714 07:49:38.777097 6 main.go:220] Creating API client for https://10.96.0.1:443
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: 0.32.0
Build: git-446845114
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.17.10
-------------------------------------------------------------------------------
I0714 07:49:38.791783 6 main.go:264] Running in Kubernetes cluster version v1.18 (v1.18.3) - git (clean) commit 2e7996e3e2712684bc73f0dec0200d64eec7fe40 - platform linux/amd64
I0714 07:49:39.007305 6 main.go:105] SSL fake certificate created /etc/ingress-controller/ssl/default-fake-certificate.pem
I0714 07:49:39.008092 6 main.go:113] Enabling new Ingress features available since Kubernetes v1.18
W0714 07:49:39.010806 6 main.go:125] No IngressClass resource with name nginx found. Only annotation will be used.
I0714 07:49:39.022204 6 ssl.go:528] loading tls certificate from certificate path /usr/local/certificates/cert and key path /usr/local/certificates/key
I0714 07:49:39.058275 6 nginx.go:263] Starting NGINX Ingress controller
I0714 07:49:39.076400 6 event.go:278] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"kube-system", Name:"nginx-load-balancer-conf", UID:"3af0b029-24c9-4033-8d2a-de7a15b62464", APIVersion:"v1", ResourceVersion:"2007", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap kube-system/nginx-load-balancer-conf
I0714 07:49:39.076438 6 event.go:278] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"kube-system", Name:"tcp-services", UID:"bbd76f82-e3b3-42f8-8098-54a87beb34fe", APIVersion:"v1", ResourceVersion:"2008", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap kube-system/tcp-services
I0714 07:49:39.076447 6 event.go:278] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"kube-system", Name:"udp-services", UID:"21710ee0-4b23-4669-b265-8bf5be662871", APIVersion:"v1", ResourceVersion:"2009", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap kube-system/udp-services
I0714 07:49:40.260006 6 nginx.go:307] Starting NGINX process
I0714 07:49:40.261693 6 leaderelection.go:242] attempting to acquire leader lease kube-system/ingress-controller-leader-nginx...
I0714 07:49:40.262598 6 nginx.go:327] Starting validation webhook on :8443 with keys /usr/local/certificates/cert /usr/local/certificates/key
I0714 07:49:40.262974 6 controller.go:139] Configuration changes detected, backend reload required.
I0714 07:49:40.302595 6 leaderelection.go:252] successfully acquired lease kube-system/ingress-controller-leader-nginx
I0714 07:49:40.304129 6 status.go:86] new leader elected: ingress-nginx-controller-7bb4c67d67-x5qzl
I0714 07:49:40.437999 6 controller.go:155] Backend successfully reloaded.
I0714 07:49:40.438145 6 controller.go:164] Initial sync, sleeping for 1 second.
W0714 07:51:03.723044 6 controller.go:909] Service "default/auth-srv" does not have any active Endpoint.
I0714 07:51:03.765397 6 main.go:115] successfully validated configuration, accepting ingress ingress-service in namespace default
I0714 07:51:03.771212 6 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ingress-service", UID:"96ec6e26-2354-46c9-be45-ca17a5f1a6f3", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"3991", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress default/ingress-service
I0714 07:51:07.032427 6 controller.go:139] Configuration changes detected, backend reload required.
I0714 07:51:07.115511 6 controller.go:155] Backend successfully reloaded.
I0714 07:51:40.319830 6 status.go:275] updating Ingress default/ingress-service status from [] to [{192.168.99.100 }]
I0714 07:51:40.332044 6 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ingress-service", UID:"96ec6e26-2354-46c9-be45-ca17a5f1a6f3", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"4011", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/ingress-service
W0714 07:55:28.215453 6 controller.go:822] Error obtaining Endpoints for Service "default/auth-srv": no object matching key "default/auth-srv" in local store
I0714 07:55:28.215542 6 controller.go:139] Configuration changes detected, backend reload required.
I0714 07:55:28.234472 6 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ingress-service", UID:"96ec6e26-2354-46c9-be45-ca17a5f1a6f3", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"4095", FieldPath:""}): type: 'Normal' reason: 'DELETE' Ingress default/ingress-service
I0714 07:55:28.297582 6 controller.go:155] Backend successfully reloaded.
I0714 07:55:31.549294 6 controller.go:139] Configuration changes detected, backend reload required.
I0714 07:55:31.653169 6 controller.go:155] Backend successfully reloaded.
W0714 08:25:53.145312 6 controller.go:909] Service "default/auth-srv" does not have any active Endpoint.
I0714 08:25:53.188326 6 main.go:115] successfully validated configuration, accepting ingress ingress-service in namespace default
I0714 08:25:53.191134 6 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ingress-service", UID:"4ac33fc5-ae7a-4511-922f-7e6bdc1fe4d5", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"4124", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress default/ingress-service
I0714 08:25:54.270931 6 status.go:275] updating Ingress default/ingress-service status from [] to [{192.168.99.100 }]
I0714 08:25:54.278468 6 event.go:278] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ingress-service", UID:"4ac33fc5-ae7a-4511-922f-7e6bdc1fe4d5", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"4136", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/ingress-service
I0714 08:25:56.460808 6 controller.go:139] Configuration changes detected, backend reload required.
I0714 08:25:56.530559 6 controller.go:155] Backend successfully reloaded.
kubectl describe svc auth-srv
Name: auth-srv
Namespace: default
Labels: app.kubernetes.io/managed-by=skaffold-v1.12.0
skaffold.dev/builder=local
skaffold.dev/cleanup=true
skaffold.dev/deployer=kubectl
skaffold.dev/docker-api-version=1.40
skaffold.dev/run-id=19ab20fe-baa5-4faf-a478-c1bad98a22b1
skaffold.dev/tag-policy=git-commit
skaffold.dev/tail=true
Annotations: Selector: app=auth
Type: ClusterIP
IP: 10.99.52.173
Port: auth 3000/TCP
TargetPort: 3000/TCP
Endpoints: 172.17.0.4:3000
Session Affinity: None
Events: <none>

run minikube ip.
You will get an ip address, copy paste in etc/hosts file for kube-test.dev

You've mentioned that you are (1) using minikube on Ubuntu, and (2) launching with minikube start. So it's almost certain that minikube is launching a VM (VirtualBox) to run Kubernetes, and thus your containers are not available through localhost.
There are a few ways to access your applications running within minikube. Minikube has a few options of its own. You can try proxying connections to your local box with kubectl proxy. AndSkaffold also supports port-forwarding individual services, etc. too. I'm actually not sure which is the best to use with Istio.

Please check the microk8s documentation page
you need to enable/install ingress-nginx

kubernetes dashboard error : 'Metric client health check failed: the server could not find the requested resource (get services heapster).'

I'm new in kubernetes world, so forgive me if i'm writing mistake. I'm trying to deploy kubernetes dashboard
My cluster is containing three masters and 3 workers drained and not schedulable in order to install dashboard to masters nodes :
[root#pp-tmp-test20 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
pp-tmp-test20 Ready master 2d2h v1.15.2
pp-tmp-test21 Ready master 37h v1.15.2
pp-tmp-test22 Ready master 37h v1.15.2
pp-tmp-test23 Ready,SchedulingDisabled worker 36h v1.15.2
pp-tmp-test24 Ready,SchedulingDisabled worker 36h v1.15.2
pp-tmp-test25 Ready,SchedulingDisabled worker 36h v1.15.2
I'm trying to deploy kubernetes dashboard via this url :
[root#pp-tmp-test20 ~]# kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
After this, a pod kubernetes-dashboard-5698d5bc9-ql6q8 is scheduled on my master node pp-tmp-test20/172.31.68.220
the pod
kube-system kubernetes-dashboard-5698d5bc9-ql6q8 /1 Running 1 7m11s 10.244.0.7 pp-tmp-test20 <none> <none>
the pod's logs
[root#pp-tmp-test20 ~]# kubectl logs kubernetes-dashboard-5698d5bc9-ql6q8 -n kube-system
2019/08/14 10:14:57 Starting overwatch
2019/08/14 10:14:57 Using in-cluster config to connect to apiserver
2019/08/14 10:14:57 Using service account token for csrf signing
2019/08/14 10:14:58 Successful initial request to the apiserver, version: v1.15.2
2019/08/14 10:14:58 Generating JWE encryption key
2019/08/14 10:14:58 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2019/08/14 10:14:58 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2019/08/14 10:14:59 Initializing JWE encryption key from synchronized object
2019/08/14 10:14:59 Creating in-cluster Heapster client
2019/08/14 10:14:59 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 10:14:59 Auto-generating certificates
2019/08/14 10:14:59 Successfully created certificates
2019/08/14 10:14:59 Serving securely on HTTPS port: 8443
2019/08/14 10:15:29 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 10:15:59 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
the describe of the pod
[root#pp-tmp-test20 ~]# kubectl describe pob kubernetes-dashboard-5698d5bc9-ql6q8 -n kube-system
Name: kubernetes-dashboard-5698d5bc9-ql6q8
Namespace: kube-system
Priority: 0
Node: pp-tmp-test20/172.31.68.220
Start Time: Wed, 14 Aug 2019 16:58:39 +0200
Labels: k8s-app=kubernetes-dashboard
pod-template-hash=5698d5bc9
Annotations: <none>
Status: Running
IP: 10.244.0.7
Controlled By: ReplicaSet/kubernetes-dashboard-5698d5bc9
Containers:
kubernetes-dashboard:
Container ID: docker://40edddf7a9102d15e3b22f4bc6f08b3a07a19e4841f09360daefbce0486baf0e
Image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
Image ID: docker-pullable://k8s.gcr.io/kubernetes-dashboard-amd64#sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747
Port: 8443/TCP
Host Port: 0/TCP
Args:
--auto-generate-certificates
State: Running
Started: Wed, 14 Aug 2019 16:58:43 +0200
Last State: Terminated
Reason: Error
Exit Code: 1
Started: Wed, 14 Aug 2019 16:58:41 +0200
Finished: Wed, 14 Aug 2019 16:58:42 +0200
Ready: True
Restart Count: 1
Liveness: http-get https://:8443/ delay=30s timeout=30s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/certs from kubernetes-dashboard-certs (rw)
/tmp from tmp-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kubernetes-dashboard-token-ptw78 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kubernetes-dashboard-certs:
Type: Secret (a volume populated by a Secret)
SecretName: kubernetes-dashboard-certs
Optional: false
tmp-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
kubernetes-dashboard-token-ptw78:
Type: Secret (a volume populated by a Secret)
SecretName: kubernetes-dashboard-token-ptw78
Optional: false
QoS Class: BestEffort
Node-Selectors: dashboard=true
Tolerations: node-role.kubernetes.io/master:NoSchedule
node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m41s default-scheduler Successfully assigned kube-system/kubernetes-dashboard-5698d5bc9-ql6q8 to pp-tmp-test20.tec.prj.in.phm.education.gouv.fr
Normal Pulled 2m38s (x2 over 2m40s) kubelet, pp-tmp-test20 Container image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" already present on machine
Normal Created 2m37s (x2 over 2m39s) kubelet, pp-tmp-test20 Created container kubernetes-dashboard
Normal Started 2m37s (x2 over 2m39s) kubelet, pp-tmp-test20 Started container kubernetes-dashboard
the describe of the dashboard service
[root#pp-tmp-test20 ~]# kubectl describe svc/kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 10.110.236.88
Port: <unset> 443/TCP
TargetPort: 8443/TCP
Endpoints: 10.244.0.7:8443
Session Affinity: None
Events: <none>
the docker ps on my master running the pod
[root#pp-tmp-test20 ~]# Docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
40edddf7a910 f9aed6605b81 "/dashboard --inse..." 7 minutes ago Up 7 minutes k8s_kubernetes-dashboard_kubernetes-dashboard-5698d5bc9-ql6q8_kube-system_f785d4bd-2e67-4daa-9f6c-19f98582fccb_1
e7f3820f1cf2 k8s.gcr.io/pause:3.1 "/pause" 7 minutes ago Up 7 minutes k8s_POD_kubernetes-dashboard-5698d5bc9-ql6q8_kube-system_f785d4bd-2e67-4daa-9f6c-19f98582fccb_0
[root#pp-tmp-test20 ~]# docker logs 40edddf7a910
2019/08/14 14:58:43 Starting overwatch
2019/08/14 14:58:43 Using in-cluster config to connect to apiserver
2019/08/14 14:58:43 Using service account token for csrf signing
2019/08/14 14:58:44 Successful initial request to the apiserver, version: v1.15.2
2019/08/14 14:58:44 Generating JWE encryption key
2019/08/14 14:58:44 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2019/08/14 14:58:44 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2019/08/14 14:58:44 Initializing JWE encryption key from synchronized object
2019/08/14 14:58:44 Creating in-cluster Heapster client
2019/08/14 14:58:44 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 14:58:44 Auto-generating certificates
2019/08/14 14:58:44 Successfully created certificates
2019/08/14 14:58:44 Serving securely on HTTPS port: 8443
2019/08/14 14:59:14 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 14:59:44 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 15:00:14 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
1/ On my master I start the proxy
[root#pp-tmp-test20 ~]# kubectl proxy
Starting to serve on 127.0.0.1:8001
2/ I launch firefox with x11 redirect from my master and hit this url
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
this is the error message I get in the browser
Error: 'dial tcp 10.244.0.7:8443: connect: no route to host'
Trying to reach: 'https://10.244.0.7:8443/'
In the same time i got these errors from the console where I launched the proxy
I0814 16:10:05.836114 20240 log.go:172] http: proxy error: context canceled
I0814 16:10:06.198701 20240 log.go:172] http: proxy error: context canceled
I0814 16:13:21.708190 20240 log.go:172] http: proxy error: unexpected EOF
I0814 16:13:21.708229 20240 log.go:172] http: proxy error: unexpected EOF
I0814 16:13:21.708270 20240 log.go:172] http: proxy error: unexpected EOF
I0814 16:13:39.335483 20240 log.go:172] http: proxy error: context canceled
I0814 16:13:39.716360 20240 log.go:172] http: proxy error: context canceled
but after refresh n times (randomly) the browser I'm able to reach the login interface to enter the token (created before)
Dashboard_login
But... the same error occur again
Dashboard_login_error
After hit n times the 'sign in' button I'm able to get the dashboard.. for few seconds.
dashboard_interface_1
dashboard_interface_2
after that the dashboard start to produce the same errors when I'm am exploring the interface:
dashboard_interface_error_1
dashboard_interface_error_2
I looked the pod logs, we can see some trafic :
[root#pp-tmp-test20 ~]# kubectl logs kubernetes-dashboard-5698d5bc9-ql6q8 -n kube-system
2019/08/14 14:16:56 Getting list of all services in the cluster
2019/08/14 14:16:56 [2019-08-14T14:16:56Z] Outcoming response to 10.244.0.1:56140 with 200 status code
2019/08/14 14:17:01 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.1:56140: {}
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Outcoming response to 10.244.0.1:56140 with 200 status code
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.244.0.1:56140: {}
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Outcoming response to 10.244.0.1:56140 with 200 status code
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.244.0.1:56140: { contents hidden }
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Outcoming response to 10.244.0.1:56140 with 200 status code
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Incoming HTTP/2.0 GET /api/v1/settings/global/cani request from 10.244.0.1:56140: {}
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Outcoming response to 10.244.0.1:56140 with 200 status code
2019/08/14 14:17:22 [2019-08-14T14:17:22Z] Incoming HTTP/2.0 GET /api/v1/settings/global request from 10.244.0.1:56140: {}
2019/08/14 14:17:22 Cannot find settings config map: configmaps "kubernetes-dashboard-settings" not found
and again the pod logs
[root#pp-tmp-test20 ~]# kubectl logs kubernetes-dashboard-5698d5bc9-ql6q8 -n kube-system
Error from server: Get https://172.31.68.220:10250/containerLogs/kube-system/kubernetes-dashboard-5698d5bc9-ql6q8/kubernetes-dashboard: Forbidden
What I'm doing wrong ? Could you please tell me some investigating way ?
EDIT :
my service account that I used
# cat dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
# cat dashboard-adminuser-ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system

It seams heapster is deprecated with kubernetes in favor of metrics-server: Support metrics API #2986 & Heapster Deprecation Timeline .
I have deployed a dashboard that use heapster. This dashboard version is not compatible with my kubernetes version (1.15). So possible way to resolve the issue: install dashboard v2.0.0-beta3
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta3/aio/deploy/recommended.yaml

It seems that the serviceaccount kubernetes-dashboard doesn't have access to all kubernetes resources because it was bound to kubernetes-dashboard-minimal role. If you bind the service account to cluster-admin role , you won't get such issues. Below YAML file can be used to achieve this.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system