When running the Kubernetes Dashboard in a Windows Docker Desktop when I click on "pods" either nothing is shown
There is nothing to display here No resources found.
or I get this error:
deployments.apps is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "deployments" in API group "apps" in the namespace "default"
Was there anything running? Yes.
How can I get an overview of my pods?
What's the config? In the Windows Docker Desktop environment, I stared with a fresh Kubernetes. I removed any old user "./kube/config" file.
To get the Kubernetes dashboard runnig, I did the procedure:
Get the dashboard: kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
Because generating tokens via a standard procedure (as found on many places) did not work, I took the alternative short-cut:
kubectl patch deployment kubernetes-dashboard -n kubernetes-dashboard --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--enable-skip-login"}]'
After typing "kubectl proxy" the result is: Starting to serve on 127.0.0.1:8001
In a browser I started the dashboard: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/workloads?namespace=default
After clicking the "Skip" button, the dashboard opened.
Clicking on "Pods" (and nearly all other items) gave this error:
pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "pods" in API group "" in the namespace "kubernetes-dashboard" (could be "default" as well)
It did not matter whether I chose the default namespace.
ALTERNATIVE: As an alternative I tried to bind the kubernetes-dashboard ServiceAccount to the cluster-admin ClusterRole.
- Preparations: create this file:
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard
$ kubectl apply -f s.yml
Create this file:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard
$ kubectl apply -f r.yml
Then run this command:
$ kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
This (or similar alternative) command gives a lot of errors.
Breaking this command down in parts: kubectl -n kubernetes-dashboard get sa/admin-user ... gives:
This command: kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}" gives no result.
It's definitely a Permissions issue.
Binds the kubernetes-dashboard ServiceAccount to the cluster-admin ClusterRole.
Otherwise it doesn't have the privileges to be able to collect data from the cluster.