Site can not be reached problem while accessing on local laptop from deployed kubernetes dashboard service on remote machine

Question

When I am trying to access the Kubernetes dashboard service from my local laptop, I am getting the message that site can not be reached.

Procedure followed:

I followed the documentation from the following link,

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

I created my cluster with one master and one worker node on my premise machine. Each machine is ubuntu 16.04. And I installed kubectl and accessing this cluster from my control vm where I am running Jenkins for ci/cd pipeline. From this control vm I followed to bind the clusterrole and deployed the Kubernetes dashboard as explained in the documentation.

I run the following command for deploying the default dashboard service from my control vm by using kuectl command (outside the cluster):

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml

I created the role binding yaml dashboard-adminuser.yaml with following content ,

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

And created this by using the following command:

 kubectl apply -f dashboard-adminuser.yaml

Accessed the token by using following command:

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

And run the following command for serving the dashboard service:

kubectl proxy

When I run the command showing "Starting serving on 127.0.0.1:8001".

And I tried to access the dashboard by putting the following URL on browser,

http://192.168.16.170:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

But I am only getting the message that site can not be reached.

Updates

Now I am trying to access using NodePort mechanism by editing the dashboard service type to NodePort type. When I am trying to access the URL , I am getting the error like "your connection is not private". I am adding the screenshot below,

Where have I gone wrong?

What does the logs from the metric server and dashboard pods say? — Arghya Sadhu, Dec 30 '19 at 10:52
@ArghyaSadhu - I did not found any pod or service for my dashboard. Thats my problem here. When I run the `kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml` , I did not got any error also.Becuase I added each step that i implemented step by step above. After running kubectl proxy it was showing starting to serve on 127.0.0.1:8001. — Mr.DevEng, Dec 30 '19 at 11:08
Kubectl get pods -n kubernetes-dashboard should give you pods and then check logs of the pods — Arghya Sadhu, Dec 30 '19 at 11:11
@ArghyaSadhu - That was not listing when I tried the command `kubectl get pods`. Now I got that and I updated the result in question. It it showing that it is running state.Can you check edited question please ? — Mr.DevEng, Dec 30 '19 at 11:15
what does this say kubectl logs kubernetes-dashboard-5996555fd8-rdjn7 -n kubernetes-dashboard — Arghya Sadhu, Dec 30 '19 at 11:21
@ArghyaSadhu - I Updated in question in updates. Can you please look on that ? — Mr.DevEng, Dec 30 '19 at 11:27
okay dashboard does not have problem..can you do kubectl get events --all-namespaces — Arghya Sadhu, Dec 30 '19 at 11:33
@ArghyaSadhu - I am getting message `0/2 nodes are available: 2 node(s) had taints that the pod didn't tolerate.` for object `pod/spacestudyadminaccountmaintenance-deployment-68df98d5d9-frzqk` with reason `FailedScheduling`. — Mr.DevEng, Dec 30 '19 at 11:37
@ArghyaSadhu - But this is showing for my pod deployment (my spring boot micro service ). Is this affecting to kubernetes dashboard accessing ? — Mr.DevEng, Dec 30 '19 at 11:47

score 5 · Answer 1 · answered Dec 30 '19 at 12:24

You need to change the service type to NodePort to access it from your local.

NodePort

This way of accessing Dashboard is only recommended for development environments in a single node setup.

Edit kubernetes-dashboard service.

$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.

apiVersion: v1
...
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  resourceVersion: "343478"
  selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes- 
  dashboard
  uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
  clusterIP: 10.100.124.90
  externalTrafficPolicy: Cluster
  ports:
   - port: 443
     protocol: TCP
     targetPort: 8443
  selector:
   k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Next we need to check port on which Dashboard was exposed.

$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard

NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        
AGE
kubernetes-dashboard   NodePort   10.100.124.90   <nodes>       443:31707/TCP   
21h

Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info. Usually it is either 127.0.0.1 or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed.

In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort> you should access https://<node-ip>:<nodePort>.

Arghya Sadhu · Accepted Answer · 2019-12-31T10:11:42.370

The UI can only be accessed from the machine where the command(kubectl proxy) is executed. In that machine try

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Edit:

Otherwise use nodeport mechanism for accessing it without using kubectl proxy

https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/1.7.x-and-above.md#nodeport

Update:

Accessing the the dashboard using kubectl proxy

Run kubectl proxy and then access

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/overview?namespace=default

I used a token for auth and here is now I created the token:

# Create the service account in the current namespace 
# (we assume default)
kubectl create serviceaccount my-dashboard-sa
# Give that service account root on the cluster
kubectl create clusterrolebinding my-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=default:my-dashboard-sa
# Find the secret that was created to hold the token for the SA
kubectl get secrets
# Show the contents of the secret to extract the token
kubectl describe secret my-dashboard-sa-token-xxxxx

Accessing the dashboard via publicly exposed API Server

Use this url in browser https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

This will give you below error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

To solve above error apply below yaml to configure RBAC:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-anonymous
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-anonymous
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard-anonymous
subjects:
- kind: User
  name: system:anonymous

You will still need either a kubeconfig or a token to access. Token can be created by mechanism described above.

Thank you for your response. In my case the suited one is the second option. I using nodeport mechanism now by editing the dashboard service. But when I am accessing the url with node ip:node port , I am only getting the message that "Your connection is not private", one privacy error. — Mr.DevEng, Dec 30 '19 at 15:43
If you add the ca cert(self signed) presented by the https endpoint nodeip:port to your systems trusted ca certs then the communication will start happening over https and you would not get that error — Arghya Sadhu, Dec 30 '19 at 15:47
I did not understood what you mean by" presented by the https endpoint nodeip:port to systems". Which CA certificate I need to add ?. When I am going to /etc/ssl/certs folder I can see both .pem and .crt files.Can you clarify for me please? — Mr.DevEng, Dec 31 '19 at 07:52
Can I follow this following documentation , https://hostadvice.com/how-to/how-to-install-a-self-signed-ssl-certificate-for-apache-on-ubuntu-18-04-server/ — Mr.DevEng, Dec 31 '19 at 09:22
Already running kubectl proxy.But machine where I binded the cluster role with service account and deployed the dashboard service is not from my local. That is one remote Ubuntu vm outside the k8 cluster which is only using for my CI( Jenkins installation). I don not have the access directly to that machine. So I am not able to do `localhost` from there. Since I have only terminal access via ssh. So I am trying to do that from my local by replacing the localhost with remote machine IP address. I hope that you understood what I am trying to do. If I went in wrong direction , please guide me. — Mr.DevEng, Dec 31 '19 at 09:43
When I run the command in my remote vm from where I deployed the dashboard service ,It was showing "Starting serving on 127.0.0.1:8001". But the URL localhost/..that I can not do from there. I have only terminal access via ssh. I was tried to replace the localhost with that IP. But no response. Site can not be reached. — Mr.DevEng, Dec 31 '19 at 09:50
Is your kube API Server has a IP or FQDN which is reachable from browser? If yes then follow the access method using API Server in updated answer. I could access it from chrome after I selected advanced and proceed to unsafe. It still says not secure in browser but I am to access — Arghya Sadhu, Dec 31 '19 at 09:56
Yes. Perfect. By using API server method that you updated in answer is working successfully. I am able login by using my token.If you are clear about previous attempt , can you clarify me what is the exact problem ? very curious to find. And thank you for your response sir. — Mr.DevEng, Dec 31 '19 at 10:11

Site can not be reached problem while accessing on local laptop from deployed kubernetes dashboard service on remote machine

2 Answers2