Site can not be reached problem while accessing on local laptop from deployed kubernetes dashboard service on remote machine
You need to change the service type to NodePort to access it from your local.
NodePort
This way of accessing Dashboard is only recommended for development environments in a single node setup.
Edit kubernetes-dashboard service.
$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file.
apiVersion: v1... name: kubernetes-dashboard namespace: kubernetes-dashboard resourceVersion: "343478" selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes- dashboard uid: 8e48f478-993d-11e7-87e0-901b0e532516spec: clusterIP: 10.100.124.90 externalTrafficPolicy: Cluster ports: - port: 443 protocol: TCP targetPort: 8443 selector: k8s-app: kubernetes-dashboard sessionAffinity: None type: ClusterIPstatus: loadBalancer: {}
Next we need to check port on which Dashboard was exposed.
$ kubectl -n kubernetes-dashboard get service kubernetes-dashboardNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkubernetes-dashboard NodePort 10.100.124.90 <nodes> 443:31707/TCP 21h
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707
. master-ip can be found by executing kubectl cluster-info. Usually it is either 127.0.0.1 or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed.
In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort>
you should access https://<node-ip>:<nodePort>
.
The UI can only be accessed from the machine where the command(kubectl proxy) is executed. In that machine try
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Edit:
Otherwise use nodeport mechanism for accessing it without using kubectl proxy
Update:
Accessing the the dashboard using kubectl proxy
Run kubectl proxy
and then access
I used a token for auth and here is now I created the token:
# Create the service account in the current namespace # (we assume default)kubectl create serviceaccount my-dashboard-sa# Give that service account root on the clusterkubectl create clusterrolebinding my-dashboard-sa \ --clusterrole=cluster-admin \ --serviceaccount=default:my-dashboard-sa# Find the secret that was created to hold the token for the SAkubectl get secrets# Show the contents of the secret to extract the tokenkubectl describe secret my-dashboard-sa-token-xxxxx
Accessing the dashboard via publicly exposed API Server
Use this url in browser https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
This will give you below error:
{ "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"", "reason": "Forbidden", "details": { "name": "https:kubernetes-dashboard:", "kind": "services" }, "code": 403}
To solve above error apply below yaml to configure RBAC:
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: kubernetes-dashboard-anonymousrules:- apiGroups: [""] resources: ["services/proxy"] resourceNames: ["https:kubernetes-dashboard:"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: kubernetes-dashboard-anonymousroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard-anonymoussubjects:- kind: User name: system:anonymous
You will still need either a kubeconfig or a token to access. Token can be created by mechanism described above.