Dashboar apply - Forbidden

[stychu]

Environment

Dashboard version: 1.7.1
Kubernetes version: Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.6", GitCommit:"...", GitTreeState:"clean", BuildDate:"2017-09-14T06:55:55Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7+", GitVersion:"v1.7.6-gke.1", GitCommit:"...", GitTreeState:"clean", BuildDate:"2017-09-27T21:21:34Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Operating system: linux
Node.js version: v6.10.0

Steps to reproduce

Run the command kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

Observed result

serviceaccount "kubernetes-dashboard" configured
rolebinding "kubernetes-dashboard-minimal" configured
deployment "kubernetes-dashboard" configured
service "kubernetes-dashboard" configured
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml": roles.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-key-holder"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["secrets"], ResourceNames:["kubernetes-dashboard-certs"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], ResourceNames:["heapster"], APIGroups:[""], Verbs:["proxy"]}] user=&{xxxxx@gmail.com  [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

Expected result

Successfult deploy

Comments

I recently had some access problems mentioned with #2522 and those were caused byt this kubectl apply. Yesterday I've deleted the dashboard secrets and dashboard itself and I was able to access the dashboard via kubectl proxy. Todays morning im running kubectl proxy and trying to access the dashboard on localhost:8001/ui and i got blank whie page.(yesterday was accessible). Trying to access http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ also results in blank page BUT accessing http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/deployment?namespace=default brings up the dashboard.

This is right behaviour ? Should I leave this like it is and just hit this link http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/deployment?namespace=default ?? Also after deleting secrets and dashboard its self recreating without any secrets and this is little bothering me. Should I bother? kubectl describe secret kubernetes-dashboard-certs -n kube-system Error from server (NotFound): secrets "kubernetes-dashboard-certs" not found And why there is that forrbiden error? Am i missing something ?

[maciaszczykm]

You have no privileges to deploy Dashboard. It is not a Dashboard issue, because you will not be able to deploy any other RBAC definition. Read more at https://kubernetes.io/docs/admin/authorization/.

[maciaszczykm]

Also after deleting secrets and dashboard its self recreating without any secrets and this is little bothering me.

Your addon manager does that. By default GCE used 1.6.3 where secret was not a part of Dashboard deployment.

[amitoo7]

You have no privileges to deploy Dashboard. It is not a Dashboard issue, because you will not be able to deploy any other RBAC definition. Read more at https://kubernetes.io/docs/admin/authorization/.

How do i put the RBAC role for gke cluster