Okay… so I finally got them to go away. After I disabled metrics-server and dashboard they finally went away. I’ll play around with it to see if I can figure out a way to reliably re-create this issue… but I’m 99% certain I disabled correctly yesterday.
Shouldn’t the documentation include instructions about the microk8s.dashboard-proxy
command?
Hi guys.
I would like to suggest you to add info about RBAC default user setup here instead point to upstream doc, because there the namespace is kubernetes-dashboard
instead of kube-system
.
microk8s now has the dashboard-proxy
verb that does much or all of this for most users. I think it should be mentioned on this page.
Any update on this? I’ve spent a few hours trying to get access to the dashboard without success.
The dashboard opens but it can’t show anything. The following notificaion is shown repeated:
namespaces is forbidden: User “system:serviceaccount:kube-system:default” cannot list resource “namespaces” in API group “” at the cluster scope
Which version are you using? if it is v1.24
, you will need to create a ClusterRoleBinding
to a proper ClusterRole
. If this is your development server, you can create this resource.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
Then to get the token do a microk8s kubectl -n kube-system create token default
and use the token provided to login.
Again doing this will allow default
user to have access to the cluster as administrator, based on the CRB
above.
Has the image name for microk8s changed to “microk8s-vm” rather than “MicroK8sVM”?
I copy/paste instructions so I don’t make mistakes, but in this case, it’s a mistake to do that
In an RBAC enabled setup you need to create a ServiceAccount for the Dashboard dashboard/creating-sample-user.md at master · kubernetes/dashboard · GitHub
then generate the Bearer Token kubectl -n kubernetes-dashboard create token admin-user, the token will expire after a short time. For Newcomers, create the Bearer Token with 99999 hours duration kubectl -n kubernetes-dashboard create token admin-user --duration=999999h
The documentation for on this page for Linux says that after enabling the dashboard addon, with microk8s 1.24+ you need to run the following command to generate a dashboard token:
microk8s kubectl create token default
When I tried this on Ubuntu 22.04 with microk8s 1.27.3 from the 1.27-strict/stable channel, it appears that all the required setup (including RBAC roles) is now done automatically, and the output from the enable command says:
If RBAC is not enabled access the dashboard using the token retrieved with:
microk8s kubectl describe secret -n kube-system microk8s-dashboard-token
Use this token in the https login UI of the kubernetes-dashboard service.
Note – it also might be nice to mention that the dashboard by default uses a self-signed cert, and that this may require extra steps (browser dependent) to access the UI.
Thanks for spotting this - i will take a few run throughs in different scenarios and make sure the page gets updated
Hi there, I’m running my homelab on three bare metal nodes (like perhaps more users). After struggeling a short while with how to expose the dashboard to my local network, as I was hesitant to place an Ingress in the kube-system namespace, I discovered the “unlisted” (it is in the repo but not on the docs page) community addon dashboard-ingress
.
As far as I see this would be ‘platform neutral’, provided the ingress addon works as intended, and perhaps a good ‘batteries included’ addition to the documentation here.
Expose the cluster on your local network
To access the dashboard on nodes that are in your local network from another machine on your local network, an Ingress resource is convenient to use. This can be done manually by adding an Ingress to the kube-system
namespace in which the dashboard runs, or using the dashboard-ingress
community addon which does that for you.
To use the dashboard-ingress
addon, enable these prerequisite addons first:
microk8s enable ingress
microk8s enable community
Then use the dashboard-ingress addon to create an Ingress-resource in the kube-system namespace. Be sure to use:
- a hostname that correctly resolves on your local machine/network (e.g. for Linux machines by adding it to /etc/hosts on the machine from which you will connect to the cluster), and
- the
-a
flag to add your local network subnet as appropriate.
For example:
microk8s enable dashboard-ingress -n hostname.of.a.cluster.node.local -a 192.168.178.0/24
thanks @jveraa. That’s some excellent work there. It seems the add-on was accepted from the community but there was no documentation added with it. That isn’t how the process should work so I will make sure that is happening in future and will update all the relevant pages