Skip to main content
Solved

Kasten K10 Dashboard 403 Forbidden

T
  • TobiASS
  • Not a newbie anymore
  • 7 comments

Hello all,

I recently created a K3S cluster with Kasten K10. Upon exposing the Kasten k10 gateway for access to the dashboard i get a 403 access denied from the gateway service.

Gateway pod logs: https://gist.github.com/TobiasS1402/74495efa2dfd4537af29a8fedf2b83fc

Kubernetes version: k3s v1.23.6-rc1+k3s1

Cluster configuration: 4 node cluster w/ single master node

Installed features:

  • Metallb v0.12.1
  • ceph-rook v1.9.1
  • snapshot controllers v4.0.1
  • traefik v2.7.0
  • calico CNI v3.22

Command used to install kasten k10:

helm upgrade k10 kasten/k10 --namespace=kasten-io --reuse-values --set auth.tokenAuth.enabled=true --set externalGateway.create=true

Kubernetes pods:

kubectl get pods -n kasten-io
NAME                                  READY   STATUS    RESTARTS      AGE
frontend-svc-6bdf747d77-2fjjv         1/1     Running   0             73m
aggregatedapis-svc-6cb47678c4-wzqft   1/1     Running   0             73m
metering-svc-7864cdcf48-qq75w         1/1     Running   0             73m
gateway-8467b6cbf6-hlgbf              1/1     Running   0             73m
config-svc-6d96db8f67-jnh9v           1/1     Running   0             73m
prometheus-server-85d7f4fb97-628wp    2/2     Running   0             73m
auth-svc-76767f786c-zpxf5             1/1     Running   2 (72m ago)   73m
crypto-svc-757957cf5d-4mg9c           3/3     Running   0             73m
logging-svc-7d8dc59556-mf45n          1/1     Running   0             73m
dashboardbff-svc-5f6744dfb5-gftfw     1/1     Running   0             73m
jobs-svc-5b86677b7-zrz6v              1/1     Running   0             73m
catalog-svc-696b87f949-ngv49          2/2     Running   0             73m
kanister-svc-9598ccfd7-8qdqd          1/1     Running   0             73m
executor-svc-7c8b9fcc95-f885f         2/2     Running   0             73m
executor-svc-7c8b9fcc95-dt4v5         2/2     Running   0             73m
executor-svc-7c8b9fcc95-dwznw         2/2     Running   0             73m
state-svc-69f5858bf5-gkdxq            2/2     Running   0             73m
k10-grafana-ff8d875f4-hqpwq           1/1     Running   0             65m

 

Best answer by shuguet

Looking back at the logs @TobiASS provided, the 403 access denied he’s getting is because the request is denied by an external authorization service (that’s the UAEX “response flag” part after the 403 response code).

So you could also go back to using your externalGateway if you’d prefer that to an Ingress, and try a different auth mechanism, like basic (to check if that UAEX goes away).

I would still recommend deploying without either of those and simply trying a port-foward access first.

If that works, then work your way “up”, either with an externalGateway (changes Service gateway-svc to type LoadBalancer) or an Ingress (ingress.create=true and ingress.class=traefik).

If either (or both) do not work, then the “simple app” strategy (leaving K10 aside for a minute) should help assess if those components are working properly in your cluster.

View original
Did this topic help you find an answer to your question?

20 comments

Geoff Burke
Forum|alt.badge.img+22
  • Geoff Burke
  • Veeam Legend, Veeam Vanguard
  • 1318 comments
  • April 24, 2022

Hi,

 

Did you disable klipper when installing k3s? I know that I had issues since it or Traefik was using ports or something. It was a while back but after that I always disabled --disable servicelb and --disable traefik

I think you would also need to remover the traefik yaml file from the manifest folder as well so that it will not come back up after reboot.

 

Since they are already running you would need to stop the k3s.service then go into the /systemd/system/k3s.service and add to this line ExecStart=/usr/local/bin/k3s \

server --disable servicelb --disable traefik

 

Then to a systemctl deamon-reload and systemctl start k3s

See if that helps.

Again I don’t remember what my issue exactly was but do remember disabling those.

 

cheers

VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS, PCA,TARS
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • April 25, 2022

Hello @TobiASS and thank you for testing/using K10!

The externalGateway group of parameters is mostly useful for AWS deployments (on EKS for example).

In the case of k3s, you don’t need that, as k3s should come out of the box with Traefik configured as an Ingress.

Ingress is Kubernetes’s term for what the rest of the world calls an application load balancer or a reverse proxy.

in your case, try removing that —set externalGateway.create=true and replace it with --set ingress.create=true --set ingress.class=traefik

You may need additonal parameters, it will depends on how you setup your k3s clusters and Traefik deployment, but it should get you started.

Best regards,

Sylvain Huguet
Chris.Childerhose
Geoff Burke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Geoff Burke
    Geoff Burke
Geoff Burke
Forum|alt.badge.img+22
  • Geoff Burke
  • Veeam Legend, Veeam Vanguard
  • 1318 comments
  • April 25, 2022
shuguet wrote:

Hello @TobiASS and thank you for testing/using K10!

The externalGateway group of parameters is mostly useful for AWS deployments (on EKS for example).

In the case of k3s, you don’t need that, as k3s should come out of the box with Traefik configured as an Ingress.

Ingress is Kubernetes’s term for what the rest of the world calls an application load balancer or a reverse proxy.

in your case, try removing that —set externalGateway.create=true and replace it with --set ingress.create=true --set ingress.class=traefik

You may need additonal parameters, it will depends on how you setup your k3s clusters and Traefik deployment, but it should get you started.

Best regards,

Thanks shuguet

I too will go back and try this again now :) 

 

cheers

VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS, PCA,TARS
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • April 25, 2022

Hello @Geoff Burke and @shuguet, thank you for responding to my question. I am running K3S with the traefik and servicelb disabled, and i install Metallb and Traefik myself. Furthermore i re-created the cluster and installed K3S with:

helm install --name=k10 --namespace=kasten-io kasten/k10 --set auth.tokenAuth.enabled=true --set ingress.create=true --set ingress.class=traefik

And now the gateway pod won't even start… so i dont know what is happening

Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  5m17s                  default-scheduler  Successfully assigned kasten-io/gateway-8467b6cbf6-d49gd to helios
  Normal   Pulling    5m14s                  kubelet            Pulling image "docker.io/emissaryingress/emissary:2.2.2"
  Normal   Pulled     4m28s                  kubelet            Successfully pulled image "docker.io/emissaryingress/emissary:2.2.2" in 45.862592506s
  Normal   Killing    3m45s                  kubelet            Container ambassador failed liveness probe, will be restarted
  Warning  Unhealthy  3m42s                  kubelet            Readiness probe failed: Get "http://10.32.175.224:8877/ambassador/v0/check_ready": dial tcp 10.32.175.224:8877: connect: connection refused
  Normal   Pulled     3m41s                  kubelet            Container image "docker.io/emissaryingress/emissary:2.2.2" already present on machine
  Normal   Created    3m40s (x2 over 4m28s)  kubelet            Created container ambassador
  Normal   Started    3m40s (x2 over 4m28s)  kubelet            Started container ambassador
  Warning  Unhealthy  3m (x5 over 3m51s)     kubelet            Liveness probe failed: HTTP probe failed with statuscode: 503
  Warning  Unhealthy  9s (x31 over 3m57s)    kubelet            Readiness probe failed: HTTP probe failed with statuscode: 503

 

Chris.Childerhose
Geoff Burke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Geoff Burke
    Geoff Burke
shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • April 25, 2022

Looks to me that there’s something going on with your cluster’s network and/or Ingress controller.

Could you do a sanity check with a simple application, like a simple web server, exposed as a service, with an Ingress in front?

K10 doesn’t do much more than that when configured for an Ingress.

If it doesn’t work, then you could start by removing the ingress config too, and just accessing the dashboard through the kubectl proxy to make sure that part works and isolate if the issue comes from K10 or your cluster config.

Sylvain Huguet
Chris.Childerhose
Geoff Burke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Geoff Burke
    Geoff Burke
Geoff Burke
Forum|alt.badge.img+22
  • Geoff Burke
  • Veeam Legend, Veeam Vanguard
  • 1318 comments
  • April 25, 2022

In my case I just used Metallb and had the gateway to true 

--set externalGateway.create=true

 

That way the svc is created as a LoadBalancer type service and is allocated an IP by Mettalb. However, that is when you just skip using ingress all together so not always and option.

 

cheers

VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS, PCA,TARS
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • Answer
  • April 25, 2022

Looking back at the logs @TobiASS provided, the 403 access denied he’s getting is because the request is denied by an external authorization service (that’s the UAEX “response flag” part after the 403 response code).

So you could also go back to using your externalGateway if you’d prefer that to an Ingress, and try a different auth mechanism, like basic (to check if that UAEX goes away).

I would still recommend deploying without either of those and simply trying a port-foward access first.

If that works, then work your way “up”, either with an externalGateway (changes Service gateway-svc to type LoadBalancer) or an Ingress (ingress.create=true and ingress.class=traefik).

If either (or both) do not work, then the “simple app” strategy (leaving K10 aside for a minute) should help assess if those components are working properly in your cluster.

Sylvain Huguet
Chris.Childerhose
Geoff Burke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Geoff Burke
    Geoff Burke
T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • April 25, 2022

Hello All,

So after my last post with re-creating the cluster I don't know what I did but I am not able to get the gateway pod to run again. (also using a default K10 deployment like this: “helm install k10 kasten/k10 --namespace=kasten-io”). Looking at the logs i provided earlier the errors are the same, it boils down to the following it seems like:

time="2022-04-25 15:12:14.1868" level=error msg="Post \"http://localhost:8004/_internal/v0/watt?url=http%3A%2F%2Flocalhost%3A9696%2Fsnapshot\": dial tcp [::1]:8004: connect: connection refused" func=github.com/datawire/ambassador/v2/cmd/entrypoint.notifyWebhookUrl file="/go/cmd/entrypoint/notify.go:124"

I think the key element is this error is the following:

dial tcp [::1]:8004: connect: connection refused

It tries to connect to the localhost w/ ipv6 and when i exec into the pod i get the same result, though the localhost over ipv4 is reachable.

 

shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • April 25, 2022

Can you try disabling ipv6 on that system?

might be something that k3s does, some kind of preference to ipv6 if available or something.

Sylvain Huguet
T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • April 25, 2022
shuguet wrote:

Can you try disabling ipv6 on that system?

might be something that k3s does, some kind of preference to ipv6 if available or something.

Hi @shuguet I have both completely disabled ipv6 and i have also changed my Kubernetes dual-stack install to just ipv4. Sadly yields the same result.

T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • April 25, 2022

 

shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • April 26, 2022

There are still inet6 link-local addresses in your screenshot, that’s evidence that ipv6 isn’t fully disabled on the system.

Contrary to ipv4, ipv6 link local are valid routing addresses, therefor you’d have to disable ipv6 in your host kernel I guess.

May I ask what you’re trying to achieve with that system/environment? Why disable servicelb and traefik from k3s for example?

my own k3s environment with out of the box config works flawlessly, just trying to understand the motivation behind getting away from the safe/sane defaults k3s ships with.

Sylvain Huguet
T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • May 1, 2022

Hello, I am back. I figured out what was going wrong, kind off. I am back at my starting situation. Turns out removing pre-installed coredns and reïnstalling it wrong does all kinds of funky stuff to your cluster.

I am running K10 and installed it with the helm command like this:

helm install --name=k10 --namespace=kasten-io kasten/k10

Then i port-forward it on the node it is active on like this: 

kubectl --namespace kasten-io port-forward --address 0.0.0.0 service/gateway 8080:8000
Forwarding from 0.0.0.0:8080 -> 8000
Handling connection for 8080
Handling connection for 8080

And even in this configuration, it still gives me the original 403 error :(

E
Forum|alt.badge.img+1
  • EBrockman
  • Comes here often
  • 89 comments
  • May 2, 2022

Hello TobiASS,

 

Have you tried other means to access K10 dashboard other than Port Forward?

 

Thanks

Emmanuel

T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • May 2, 2022

@EBrockman Sadly i have the same issue with the external gateway and with ingress via Metallb.

--set externalGateway.create=true--set ingress.create=true
E
Forum|alt.badge.img+1
  • EBrockman
  • Comes here often
  • 89 comments
  • May 2, 2022

Hello TobiAss,

 

Have you tried NodePort?

 

Thanks

Emmanuel

shuguet
  • shuguet
  • Comes here often
  • 19 comments
  • May 2, 2022

@TobiASS quick thought: When you are using the port-forward, are you using the `/k10/` path in your url?
So ​​​http://localhost:8080/k10/ ? We do not redirect automatically from / to /k10/ you need to specify the full path including both slashes, otherwise it will not work.

You can customize that path in the helm chart, but that’s not the point here.

Sylvain Huguet
E
1 person likes this
  • E
    EBrockman
T
  • TobiASS
  • Author
  • Not a newbie anymore
  • 7 comments
  • May 2, 2022

@shuguet and @EBrockman yes i am accessing it via http://exposedserviceip:8080/k10 or http://ingress:8080/k10/#, etc.

Furthermore, I tried exposing the application via the NodePort but this also results in 403. Logs attached:

ACCESS [2022-05-02T16:54:58.418Z] "GET /k10/ HTTP/1.1" 403 UAEX 0 0 3002 - "192.168.0.112" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "63a4b3ae-e176-4d63-be0d-7ab6ee106514" "192.168.0.200" "-"
ACCESS [2022-05-02T16:55:01.756Z] "GET /favicon.ico HTTP/1.1" 404 NR 0 0 0 - "192.168.0.112" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "0e480976-eb15-466e-99cf-d5b184088a87" "192.168.0.200" "-"
ACCESS [2022-05-02T16:55:36.123Z] "GET / HTTP/1.1" 404 NR 0 0 0 - "192.168.0.111" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "abc40d2c-e16f-4304-a1d9-29d2dc5c28d8" "helios:30488" "-"
ACCESS [2022-05-02T16:55:36.221Z] "GET /favicon.ico HTTP/1.1" 404 NR 0 0 0 - "192.168.0.111" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "05448aab-70e3-4c03-a2df-abf27324d96f" "helios:30488" "-"
ACCESS [2022-05-02T16:55:39.933Z] "GET /k10/ HTTP/1.1" 403 UAEX 0 0 3001 - "192.168.0.111" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" "e0f7c9ed-eb48-43d9-a2a7-3b103aa37844" "helios:30488" "-"

 

O
  • omlomlopml
  • Not a newbie anymore
  • 3 comments
  • November 1, 2022

Hi 

I have the same issue, any update on this?

O
  • omlomlopml
  • Not a newbie anymore
  • 3 comments
  • November 1, 2022

 

is there a way to access the dashboard without the gateway?

Comment


Terms & Conditions