kuberneteskubernetes-dashboard

Windows Docker Desktop - Kubernetes Dashboard - no data on pods is shown OR access is forbidden


When running the Kubernetes Dashboard in a Windows Docker Desktop when I click on "pods" either nothing is shown

There is nothing to display here No resources found.

or I get this error:

deployments.apps is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default"

Was there anything running? Yes.

enter image description here

How can I get an overview of my pods?

What's the config? In the Windows Docker Desktop environment, I stared with a fresh Kubernetes. I removed any old user "./kube/config" file.

To get the Kubernetes dashboard runnig, I did the procedure:

  1. Get the dashboard: kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

  2. Because generating tokens via a standard procedure (as found on many places) did not work, I took the alternative short-cut:

kubectl patch deployment kubernetes-dashboard -n kubernetes-dashboard --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--enable-skip-login"}]'

  1. After typing "kubectl proxy" the result is: Starting to serve on 127.0.0.1:8001

  2. In a browser I started the dashboard: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/workloads?namespace=default

After clicking the "Skip" button, the dashboard opened.

Clicking on "Pods" (and nearly all other items) gave this error:

pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "pods" in API group "" in the namespace "kubernetes-dashboard" (could be "default" as well)

It did not matter whether I chose the default namespace.

ALTERNATIVE: As an alternative I tried to bind the kubernetes-dashboard ServiceAccount to the cluster-admin ClusterRole.

  1. Preparations: create this file:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
$ kubectl apply -f s.yml

Create this file:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
$ kubectl apply -f r.yml

Then run this command:

$ kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

This (or similar alternative) command gives a lot of errors.

Breaking this command down in parts: kubectl -n kubernetes-dashboard get sa/admin-user ... gives:

enter image description here

This command: kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}" gives no result.


Solution

  • It's definitely a Permissions issue.

    Binds the kubernetes-dashboard ServiceAccount to the cluster-admin ClusterRole.

    Otherwise it doesn't have the privileges to be able to collect data from the cluster.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: dashboard-admin
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: kubernetes-dashboard
      namespace: NAMESPACE-WHERE-DASHBOARD-IS