Reputation: 11289
Kubernetes Dashboards are unauthorised. how to configure
I am following the tutorial from Kubernetes on AWS by Coreos (I need a Cloudformation template) to create a Kubernetes inside my already existing VPC.
Everything is configured properly and the cluster was successfully setup, but i am experiencing difficulties with Heapster/KubeDNS
My cluster info and config view look like this:
kubectl --kubeconfig=kubeconfig cluster-info Kubernetes master is running at https://my-cluster-endpoint.company.com. Heapster is running at https://my-cluster-endpoint.company.com./api/v1/proxy/namespaces/kube-system/services/heapster KubeDNS is running at https://my-cluster-endpoint.company.com./api/v1/proxy/namespaces/kube-system/services/kube-dns kubectl --kubeconfig=kubeconfig config view apiVersion: v1 clusters: - cluster: certificate-authority: credentials/ca.pem server: https://my-cluster-endpoint.company.com. name: kube-aws-my-cluster-name-cluster contexts: - context: cluster: kube-aws-my-cluster-name-cluster namespace: default user: kube-aws-my-cluster-name-admin name: kube-aws-my-cluster-name-context current-context: kube-aws-my-cluster-name-context kind: Config preferences: {} users: - name: kube-aws-my-cluster-name-admin user: client-certificate: credentials/admin.pem client-key: credentials/admin-key.pem
So a few problems that I notice compared to the getting started guides from kubernetes.io:
- All the "out of the box" services like Kibana/Grafana are missing (but these you can probably install yourself)
- There is no "user" section with username and password to enter the dashboards only one with certificate
As well when I try to reach these endpoints I immediately get "unauthorised" and the api does not even challenge me for username password
So how do I set basic authentication for my newly created cluster OR is there a way to login with the .pem certificate?
Thanks.
Upvotes: 1
Views: 3177
Answers (1)
Reputation: 336
The CoreOS-kubernetes tooling is meant to deploy a fully functioning Kubernetes cluster, but leave optional/ addon applications as a decision for the cluster admin. In this case kibana & grafana are not strictly required for a fully functioning cluster -- so they are not deployed by default.
Similarly with authentication, basic-auth is not enabled by default (cert based auth and Bearer tokens are). However, you should be able to add basic auth by creating a file and a adding a flag to the api-server manifest:
Create a basic auth file following the format described here: http://kubernetes.io/docs/admin/authentication
In
/etc/kubernetes/manifests/kube-apiserver.yaml, add a flag pointing to the file you created above--basic-auth-file=SOMEFILE
When you make the change to the kube-apiserver.yaml manifest, the kubelet will see the change an automatically restart the pod. If you're running apiservers on multiple hosts, be sure to make the above changes to each.
Another option is to use the kubectl proxy command to first authenticate against your api-server. See: http://kubernetes.io/docs/user-guide/connecting-to-applications-proxy - essentially the kubectl proxy will authenticate then allow you to access the endpoint locally on your machine.
Upvotes: 3
Related Questions
- x509 certificate signed by unknown authority- Kubernetes
- How to sign in kubernetes dashboard?
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Can't resolve 'kubernetes' by skydns service in Kubernetes
- kube-ops-view with Kubernetes KinD
- How can I solve a problem with tls: internal error in kubernetes
- not able to deploy k8s pod when tried through jenkins job on GCE
- Exporting Kubernetes pod cpu/memory information
- kubernetes + coreos cluster - replacing certificates
- Kubernetes: link a pod to kube-proxy