Cannot login to the Dashboard: "Failure during parsing" the token

[stefano-cherchi]

What happened?

Just installed a 3-nodes cluster with kubeadm, deployed the Kubernetes dashboard using Helm (chart version 7.5.0), the Kubernetes dashboard login page is reachable but, whatever token I use, it always throw the error: Unknown error (200): Http failure during parsing for http://192.168.61.50:8000/api/v1/csrftoken/login

What did you expect to happen?

I expect to be able to access the Kubernetes dashboard using the token issued following the instructions shown in the login page: You can generate token for service account with: kubectl -n NAMESPACE create token SERVICE_ACCOUNT

How can we reproduce it (as minimally and precisely as possible)?

• Deploy a new Kubernetes cluster (v1.31.0) using kubeadm, deploy a network plugin (e.g: Calico) and wait for all the nodes to be in Ready state
• Deploy the Kubernetes Dashboard using the official Helm Chart (version 7.5.0)

debian@k8s-control-plane:~$ helm list --namespace kubernetes-dashboard
NAME                    NAMESPACE               REVISION    UPDATED                                   STATUS      CHART                         APP VERSION
kubernetes-dashboard    kubernetes-dashboard    1           2024-09-09 08:14:36.737781558 +0000 UTC   deployed    kubernetes-dashboard-7.5.0   

debian@k8s-control-plane:~$ kubectl get services --namespace kubernetes-dashboard
NAME                                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
kubernetes-dashboard-api               ClusterIP   10.110.9.206     <none>        8000/TCP                        53m
kubernetes-dashboard-auth              ClusterIP   10.100.87.15     <none>        8000/TCP                        53m
kubernetes-dashboard-kong-manager      NodePort    10.110.155.80    <none>        8002:31529/TCP,8445:31474/TCP   53m
kubernetes-dashboard-kong-proxy        ClusterIP   10.109.214.190   <none>        443/TCP                         53m
kubernetes-dashboard-metrics-scraper   ClusterIP   10.108.13.197    <none>        8000/TCP                        53m
kubernetes-dashboard-web               ClusterIP   10.103.33.64     <none>        8000/TCP                        53m

 debian@k8s-control-plane:~$ kubectl get pods --namespace kubernetes-dashboard
NAME                                                    READY   STATUS    RESTARTS   AGE
kubernetes-dashboard-api-d4bd76b6-qwvfb                 1/1     Running   0          76m
kubernetes-dashboard-auth-6785f9dff9-ntp4b              1/1     Running   0          76m
kubernetes-dashboard-kong-57d45c4f69-767g5              1/1     Running   0          76m
kubernetes-dashboard-metrics-scraper-57cf4c69b6-sd6dj   1/1     Running   0          76m
kubernetes-dashboard-web-7458b6d977-6k2vv               1/1     Running   0          76m

• Create a ServiceAccount with cluster-admin privileges

debian@k8s-control-plane:~$ cat kubernetes-dashboard-admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: [rbac.authorization.k8s.io/v1](http://rbac.authorization.k8s.io/v1)
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: [rbac.authorization.k8s.io](http://rbac.authorization.k8s.io/)
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
  annotations:
    [kubernetes.io/service-account.name](http://kubernetes.io/service-account.name): "admin-user"
type: [kubernetes.io/service-account-token](http://kubernetes.io/service-account-token)

debian@k8s-control-plane:~$ kubectl apply -f kubernetes-dashboard-admin-user.yaml
serviceaccount/admin-user created
[clusterrolebinding.rbac.authorization.k8s.io/admin-user](http://clusterrolebinding.rbac.authorization.k8s.io/admin-user) created
secret/admin-user created

• Create a port forwarding to the service kubernetes-dashboard-web: kubectl port-forward --namespace kubernetes-dashboard service/kubernetes-dashboard-web 8000:8000 --address="0.0.0.0" and connect to the login page using a web browser: http://192.168.61.50:8000/#/login
• Create a token following the instruction shown in the Login page:

debian@k8s-control-plane:~$ kubectl -n kubernetes-dashboard create token admin-user
eyJhbGciOiJSUzI1NiIsImtpZCI6InBTYVQtR2tkUjFxQWNMM3E3ZElDUUkwSVNub0d0a2xDUDRuVGY2bndKNjQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzI1ODc0NTk2LCJpYXQiOjE3MjU4NzA5OTYsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiZDliY2Q4NjktNmJmNC00MDg2LWE5MGYtMGVjYTAzYzQ2OWUyIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiMTA1NTE1MTktODNhYy00M2ZlLWJiOTktZWYzNDBmYjlhNWUxIn19LCJuYmYiOjE3MjU4NzA5OTYsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.IN8t8f4lSvJb8lmlmdJrcEXN8UTtbOVOfDfJLIjOLFewu6q_KCoYfRg8P49ghz87AvAWzjZNASMQE8QGzqtiU6Tu1ZwWqrUwDi23OWC4i_Lb-f7__A4S8v6ftnxEFgpKu-hW1vODAf_kehFb2fn_M166xyKLIjVQNMrNj-wOX9--WnMUJZ8ShvsL7t9EnLGeglZJd97AKkxieY2FwDWudujPDTo9hrlu1WjRxvc0yKZ4ta6xD9zMOg0ec3eFqRYHLL4I7LpfBXkU3Ky_90mgzKmx-k3Mj7mKjI_YjR8tOUGvQxYb_YkGSauV0-FC0KloSs2-fyZaZR0O-54EvTX76A

• Paste the token in the login page and click "Sign in"

Anything else we need to know?

No response

What browsers are you seeing the problem on?

Firefox

Kubernetes Dashboard version

7.5.0

Kubernetes version

1.31.0

Dev environment

No response

[floreks]

Ref: #9252

Solution: Do not expose UI via HTTP (only localhost works this way).

/close

[k8s-ci-robot]

@floreks: Closing this issue.

In response to this:

Ref: #9252

Solution: Do not expose UI via HTTP (only localhost works this way).

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[stefano-cherchi]

I eventually managed to login by using port forward to the service kubernetes-dashboard-kong-proxy instead of kubernetes-dashboard-web

 kubectl port-forward --namespace kubernetes-dashboard service/kubernetes-dashboard-kong-proxy 10443:443 --address="0.0.0.0"

Closing the issue without providing a working solution or pointing to the relevant documentation doesn't help.

The official documentation should also be updated since it provides the wrong url (it points to the old service kubernetes-dashboard that no longer exists in versions >=7).

For the records: the relevant documentation can be found here.

[floreks]

This is not the "official documentation". We do not have control over it. We can only be responsible for the documentation you can find in this repository.

Also, a configuration issue is not an issue on our side. This repository is for bugs and issues we can address directly by updating the repo, not for support requests.