User "system:anonymous" cannot get resource
By running the following command, you should get the addresses of the control plane and services, labeled with kubernetes.io/cluster-service=true
cluster-info
$ kubectl cluster-info Kubernetes control plane is running at https://<master_IP>:8383 kubernetes-dashboard is running at https://<master_IP>:8383/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
If, trying to reach the link related to the kubernetes-dashboard, you get the following output
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
You will need to create a clusterrole to grant permission to kubernetes-dashboard and bind it to system:anonymous user as followed. To apply these changes, save it into a yaml file and run kubectl apply command.
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard-anonymous rules: - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["https:kubernetes-dashboard:"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-anonymous roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard-anonymous subjects: - kind: User name: system:anonymous