cabin icon indicating copy to clipboard operation
cabin copied to clipboard

Published 20 hours ago verified publisher icon vmware-archive

Cannot connect to cluster installed via `kubeadm init`

Open andrewrothman opened this issue 7 years ago • 9 comments

I'm having trouble connecting to my Kubernetes cluster via Cabin. It is running on a home lab Ubuntu 17.10 server, and it was brought up via the "kubeadm init" method. I'm trying to connect via the Cabin Android app from the Google Play Store (appears to be version 0.4.1).

I copied the default-token-xxxx from the Kubernetes Dashboard, and pasted it into Cabin's "Add Cluster" view. I set the cluster url to "https://192.168.1.7:6443", which is what is in my kubectl config file, and verified that that url is accessible in Chrome (although unauthenticated, because I didn't use the token). I installed the certificate that was also present in the "default-token-xxxx" Kubernetes secret.

After filling in the above information, Cabin immediately reports that my cluster is "down".

Any ideas?

Cabin looks like a really nice and well-made app. This is the kind of stuff Kubernetes needs. Thank you for your hard work!

andrewrothman avatar Dec 04 '17 00:12 andrewrothman

you are trying to access the cluster from your home network correct ?

sebgoa avatar Jan 21 '18 18:01 sebgoa

Correct.

andrewrothman avatar Jan 22 '18 00:01 andrewrothman

I also have a VPN server setup on the same machine as my cluster, 192.168.1.7, and it does not work for me with or without the vpn enabled. I am able to connect to other services on the same IP.

andrewrothman avatar Jan 22 '18 00:01 andrewrothman

Having the same issue as well, would like to know the solution.

dvdmuckle avatar Jan 29 '18 01:01 dvdmuckle

@javsalgar could you give us some feedback on this, since you know kubeadm so well

sebgoa avatar Feb 05 '18 17:02 sebgoa

@javsalgar did you get any chance to test this ?

sebgoa avatar Feb 26 '18 13:02 sebgoa

With the recent addition of Token auth, you can create a Service Account (With the cluster-admin clusterrole for all permissions), get the token for that, and auth that way. This works regardless of cluster creation, and works with my kubeadm spun-up RPI cluster.

dvdmuckle avatar Mar 04 '18 00:03 dvdmuckle

@dvdmuckle's solution worked perfectly for me.

To do this, I did the following:

kubectl create serviceaccount "cabin-access"
kubectl create clusterrolebinding "cabin-access" --clusterrole=cluster-admin --user "system:serviceaccount:default:cabin-access"
kubectl describe serviceaccount "cabin-access"
# the above command will display a token name... use that in the next step
kubectl describe secret "cabin-access-token-XXXXX"

I placed that token value into the cabin login screen, and used https://192.168.1.x:6443 for my cluster url (that was the default port for the api of my install, but it might be on 443 for others).

For more info, these links were a great read:

(Kubernetes Role-Based Authentication)[https://kubernetes.io/docs/admin/authorization/rbac/] (Kubernetes Service Account Tokens)[https://kubernetes.io/docs/admin/authentication/#service-account-tokens]

Thanks so much!

andrewrothman avatar Mar 07 '18 08:03 andrewrothman

If you created an SA for the Tiller part of Helm with the cluster-admin role, you can use that token as well. I'd suggest not doing this for any production cluster, and instead creating a locked down SA specifically for Cabin, but for my little RPI cluster or something similar, it's fine.

dvdmuckle avatar Mar 07 '18 19:03 dvdmuckle