dashboard https Unauthorized

[chowyu08]

Dashboard version: 1.1
Kubernetes version: 1.3.6
Operating system: ubuntu14.04
Go version:1.6.2
Ideploy kubernetes and dashboard as http://kubernetes.io/docs/getting-started-guides/ubuntu/

I can access the dashboard http://master-ip:8080/
bur when I access https://master-ip:6443/ ,return "Unauthorized"
why?

[workhardcc]

I have the same issue. And I think author maybe haven't consider it yet.
kubernetes/dashboard#1116

[floreks]

I'm guessing that your clusters are using certificates for secure communication over HTTPS. There are 2 issues here.

1. Browser doesn't recognize root CA so it can't trust that connection is safe. We can bypass that and still use it. This part is not a blocker. :)
   
2. API Server needs client certificate/token/user and pass (depends on configuration) to authorize client otherwise it will return Unauthorized.

It's easy to authorize with curl because you can easily provide required data.
curl https://<MASTER_IP>/version --cacert ca.crt --cert admin.crt --key admin.key
curl https://<MASTER_IP>/version --header "Authorization: Bearer $TOKEN" `

With browser it's more complicated than that. There are several ways to access dashboard:

1. You can expose it through service using NodePort and access it with <MASTER_IP>:<NODE_PORT>. (Not Safe)
2. Import certificates into your browser.
3. Use kubectl proxy and go to http://127.0.0.1:8001/ (bind address can be changed). It will handle SSL tunneling if your kubeconfig file is configured to use secure connection.

Regarding second option. I can provide some information how to do that using firefox.

1. Import generated CA certificate into the browser.
   
2. Import user certificate to Your Certificates. If you have 2 separate certificates crt and key it's best to merge them into PFX/PKCS#12 certificate because it's easy to import it directly into the browser certificate store. You can use this page or do it manually using openssl.
   

If certificates are generated correctly then popup will be displayed on next attempt to access api server over HTTPS. You may need to clear browser cache.

You should see the dashboard now. :)

I don't know how to use bearer token in browser. Possibly it requires some manual work to add data to HTTP header before sending request to api server.

There are of course other options to authorize user. Kubernetes supports ABAC, RBAC and much more.

[liggitt]

The browser is required to authenticate when accessing the secured API server port. As #31665 (comment) demonstrates, that can be done with certificate-based authentication.

For token-based authentication, browsers do not give you a way to send bearer tokens automatically with your requests.

The dashboard describes how you can use kubectl proxy which adds in your authentication credentials, and lets you access the dashboard locally through the proxy - https://github.com/kubernetes/dashboard#usage