debugkubernetesMinor

Kubernetes - unable to login to Dashboard

Submitted by: @import:stackexchange-devops·Mar 10, 2026·

Viewed 0 times

dashboardkubernetesloginunable

Problem

I have installed Kubernetes using AWS Minikube scripts - https://github.com/scholzj/aws-minikube

After installation I am trying to run

kubectl proxy

But I am getting this

https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\"
cannot get services/proxy in the namespace \"kube-system\"

I am not even able to list pods because I do not have valid tokens with system.master role. I have no idea how I can create a user or token and authenticate when there is no admin user present on the system yet.

Can you please explain to me?

Solution

how we can extract the certificates from the kubeconfig file:

Locate your kubeconfig or config file which you use to run kubectl commands. If you have used my Vagrant file above, you can find it on /etc/kubernetes/admin.conf

-
You need to export a single file (.p12) with the following two certificates: the client-certificate-data, and the client-key-data. My example runs the command on /home/vagrant. If you run this command on macOS, be sure to change the base64 -d to base64 -D

$ grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt

$ grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key

$ openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12

-
Import the kubecfg.p12 certificate, reopen your browser, and visit the Kubernetes Dashboard URL. Accept any warning and you should see the authentication page. You can skip the login and check you are not able to perform any task.

-
The following steps have been copied from the Kubernetes Dashboard wiki page (Creating-sample-user)

1- Create service account

        cat >

    2- Create ClusterRoleBinding

        cat >

    3- Get the Bearer Token. Once you run the following command, copy the token value which you will use on the following step.

        $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

    4- Come back to your browser and choose token on the login page. You will need to paste the token value you have copied on the previous step.
5- Click “SIGN IN” and you should be able to see your Kubernetes Dashboard fully operational.

Code Snippets

$ grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt


$ grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key


$ openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12

1- Create service account

        cat <<EOF | kubectl create -f -
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: admin-user
          namespace: kube-system
        EOF
        >>

    2- Create ClusterRoleBinding

        cat <<EOF | kubectl create -f -
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
          name: admin-user
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-admin
        subjects:
        - kind: ServiceAccount
          name: admin-user
          namespace: kube-system
        EOF
        >>

    3- Get the Bearer Token. Once you run the following command, copy the token value which you will use on the following step.

        $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')


    4- Come back to your browser and choose token on the login page. You will need to paste the token value you have copied on the previous step.
5- Click “SIGN IN” and you should be able to see your Kubernetes Dashboard fully operational.

Context

StackExchange DevOps Q#5087, answer score: 2

Revisions (0)

No revisions yet.