Cannot connect to cluster installed via kubeadm init

[andrewrothman]

I'm having trouble connecting to my Kubernetes cluster via Cabin. It is running on a home lab Ubuntu 17.10 server, and it was brought up via the "kubeadm init" method. I'm trying to connect via the Cabin Android app from the Google Play Store (appears to be version 0.4.1).

I copied the default-token-xxxx from the Kubernetes Dashboard, and pasted it into Cabin's "Add Cluster" view. I set the cluster url to "https://192.168.1.7:6443", which is what is in my kubectl config file, and verified that that url is accessible in Chrome (although unauthenticated, because I didn't use the token). I installed the certificate that was also present in the "default-token-xxxx" Kubernetes secret.

After filling in the above information, Cabin immediately reports that my cluster is "down".

Any ideas?

Cabin looks like a really nice and well-made app. This is the kind of stuff Kubernetes needs. Thank you for your hard work!

[sebgoa]

you are trying to access the cluster from your home network correct ?

[andrewrothman]

Correct.

[andrewrothman]

I also have a VPN server setup on the same machine as my cluster, 192.168.1.7, and it does not work for me with or without the vpn enabled. I am able to connect to other services on the same IP.

[dvdmuckle]

Having the same issue as well, would like to know the solution.

[sebgoa]

@javsalgar could you give us some feedback on this, since you know kubeadm so well

[sebgoa]

@javsalgar did you get any chance to test this ?

[dvdmuckle]

With the recent addition of Token auth, you can create a Service Account (With the cluster-admin clusterrole for all permissions), get the token for that, and auth that way. This works regardless of cluster creation, and works with my kubeadm spun-up RPI cluster.

[andrewrothman]

@dvdmuckle's solution worked perfectly for me.

To do this, I did the following:

kubectl create serviceaccount "cabin-access"
kubectl create clusterrolebinding "cabin-access" --clusterrole=cluster-admin --user "system:serviceaccount:default:cabin-access"
kubectl describe serviceaccount "cabin-access"
# the above command will display a token name... use that in the next step
kubectl describe secret "cabin-access-token-XXXXX"

I placed that token value into the cabin login screen, and used https://192.168.1.x:6443 for my cluster url (that was the default port for the api of my install, but it might be on 443 for others).

For more info, these links were a great read:

(Kubernetes Role-Based Authentication)[https://kubernetes.io/docs/admin/authorization/rbac/]
(Kubernetes Service Account Tokens)[https://kubernetes.io/docs/admin/authentication/#service-account-tokens]

Thanks so much!

[dvdmuckle]

If you created an SA for the Tiller part of Helm with the cluster-admin role, you can use that token as well. I'd suggest not doing this for any production cluster, and instead creating a locked down SA specifically for Cabin, but for my little RPI cluster or something similar, it's fine.