dashboard CrashLoopBackOff: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource

[ousiax]

BUG REPORT :

Environment:

minikube version: v0.32.0

OS:
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

VM driver:
    "DriverName": "virtualbox",

ISO version
        "Boot2DockerURL": "file:///home/x/.minikube/cache/iso/minikube-v0.32.0.iso",

$ kubectl version 
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:39:04Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.4", GitCommit:"f49fa022dbe63faafd0da106ef7e05a29721d3f1", GitTreeState:"clean", BuildDate:"2018-12-14T06:59:37Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}

What happened:

$ kubectl -n kube-system get po kubernetes-dashboard-5bff5f8fb8-j242f 
NAME                                    READY   STATUS             RESTARTS   AGE
kubernetes-dashboard-5bff5f8fb8-j242f   0/1     CrashLoopBackOff   12         37m

$ kubectl -n kube-system describe po kubernetes-dashboard-5bff5f8fb8-j242f 
Name:               kubernetes-dashboard-5bff5f8fb8-j242f
Namespace:          kube-system
Priority:           0
PriorityClassName:  <none>
Node:               minikube/10.0.2.15
Start Time:         Thu, 27 Dec 2018 11:58:02 +0800
Labels:             addonmanager.kubernetes.io/mode=Reconcile
                    app=kubernetes-dashboard
                    pod-template-hash=5bff5f8fb8
                    version=v1.10.1
Annotations:        <none>
Status:             Running
IP:                 172.17.0.2
Controlled By:      ReplicaSet/kubernetes-dashboard-5bff5f8fb8
Containers:
  kubernetes-dashboard:
    Container ID:   docker://bf24d322a72431fa758137c88b069ca23c38e8f5aabaf5352ad44754c8e4550a
    Image:          k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
    Image ID:       docker://sha256:f9aed6605b814b69e92dece6a50ed1e4e730144eb1cc971389dde9cb3820d124
    Port:           9090/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    2
      Started:      Thu, 27 Dec 2018 12:34:57 +0800
      Finished:     Thu, 27 Dec 2018 12:34:57 +0800
    Ready:          False
    Restart Count:  12
    Liveness:       http-get http://:9090/ delay=30s timeout=30s period=10s #success=1 #failure=3
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-r5ljn (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  default-token-r5ljn:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-r5ljn
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  38m                    default-scheduler  Successfully assigned kube-system/kubernetes-dashboard-5bff5f8fb8-j242f to minikube
  Normal   Pulled     36m (x5 over 38m)      kubelet, minikube  Container image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" already present on machine
  Normal   Created    36m (x5 over 38m)      kubelet, minikube  Created container
  Normal   Started    36m (x5 over 38m)      kubelet, minikube  Started container
  Warning  BackOff    2m55s (x172 over 38m)  kubelet, minikube  Back-off restarting failed container

$ kubectl -n kube-system logs kubernetes-dashboard-5bff5f8fb8-j242f 
2018/12/27 04:34:57 Using in-cluster config to connect to apiserver
2018/12/27 04:34:57 Using service account token for csrf signing
2018/12/27 04:34:57 Starting overwatch
2018/12/27 04:34:57 Successful initial request to the apiserver, version: v1.12.4
2018/12/27 04:34:57 Generating JWE encryption key
2018/12/27 04:34:57 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2018/12/27 04:34:57 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2018/12/27 04:34:57 Synchronizer kubernetes-dashboard-key-holder-kube-system exited with error: unexpected object: &Secret{ObjectMeta:k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta{Name:,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,},Data:map[string][]byte{},Type:,StringData:map[string]string{},}
2018/12/27 04:34:57 Storing encryption key in a secret
panic: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource "secrets" in API group "" in the namespace "kube-system"

goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.(*rsaKeyHolder).init(0xc4201065e0)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:131 +0x35e
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.NewRSAKeyHolder(0x1367500, 0xc42026a000, 0xc42026a000, 0x1213a6e)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
main.initAuthManager(0x13663e0, 0xc42026bb60, 0xc4204bfcd8, 0x1)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:185 +0x12c
main.main()
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

[TheKangaroo]

I run into this issue too. I can confirm that this is a permission issue with the default service account in the kube-system namespace.
Runing

kubectl create role access-secrets --verb=get,list,watch,update,create --resource=secrets
kubectl create rolebinding --role=access-secrets default-to-secrets --serviceaccount=kube-system:default

fixes this issue but I think we shouldn't extend the permissions of the default service account and use a dashboard service account instead.
Any thoughts?

[tstromberg]

Do you mind checking if minikube v0.33 suffers this same behavior? The dashboard implementation has been changed around a bit.

Using a specific dashboard service account sounds like a good way to go. PR's welcome!

[p4ali]

This comes back in minikube version: v0.35.0.

[panhow]

i met this problem on minikube versioin: v1.2.0

$ kubectl -n kube-system logs -p kubernetes-dashboard-7b8ddcb5d6-s8d5r
2019/07/09 07:40:17 Starting overwatch
2019/07/09 07:40:17 Using in-cluster config to connect to apiserver
2019/07/09 07:40:17 Using service account token for csrf signing
2019/07/09 07:40:17 Successful initial request to the apiserver, version: v1.15.0
2019/07/09 07:40:17 Generating JWE encryption key
2019/07/09 07:40:17 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2019/07/09 07:40:17 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2019/07/09 07:40:17 Synchronizer kubernetes-dashboard-key-holder-kube-system exited with error: unexpected object: &Secret{ObjectMeta:k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta{Name:,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,},Data:map[string][]byte{},Type:,StringData:map[string]string{},}
2019/07/09 07:40:18 Storing encryption key in a secret
panic: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource "secrets" in API group "" in the namespace "kube-system"

goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.(*rsaKeyHolder).init(0xc420106300)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:131 +0x35e
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.NewRSAKeyHolder(0x1367500, 0xc420082180, 0xc420082180, 0x1213a6e)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
main.initAuthManager(0x13663e0, 0xc420408180, 0xc4204ebcd8, 0x1)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:185 +0x12c
main.main()
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

[yuanzac]

@panhow I just had the same situation as you. Can anyone help to take a look~

[unlikezy]

I run into this issue too. I can confirm that this is a permission issue with the default service account in the kube-system namespace.
Runing

kubectl create role access-secrets --verb=get,list,watch,update,create --resource=secrets
kubectl create rolebinding --role=access-secrets default-to-secrets --serviceaccount=kube-system:default

fixes this issue but I think we shouldn't extend the permissions of the default service account and use a dashboard service account instead.
Any thoughts?

I still met the same problem on mac.
The above solution does not work for my situation:

$minikube version
minikube version: v1.1.1

$minikube addons list
- addon-manager: enabled
- dashboard: enabled
- default-storageclass: enabled
- efk: disabled
- freshpod: disabled
- gvisor: disabled
- heapster: disabled
- ingress: disabled
- logviewer: disabled
- metrics-server: disabled
- nvidia-driver-installer: disabled
- nvidia-gpu-device-plugin: disabled
- registry: disabled
- registry-creds: disabled
- storage-provisioner: enabled
- storage-provisioner-gluster: disabled

$kubectl create role access-secrets --verb=get,list,watch,update,create --resource=secrets
role.rbac.authorization.k8s.io/access-secrets created
$kubectl create rolebinding --role=access-secrets default-to-secrets --serviceaccount=kube-system:default
rolebinding.rbac.authorization.k8s.io/default-to-secrets created

$minikube logs
==> kernel <==
 11:00:41 up 1 day,  2:02,  1 user,  load average: 0.76, 0.36, 0.24
Linux minikube 4.15.0 #1 SMP Thu Jun 6 15:07:18 PDT 2019 x86_64 GNU/Linux

==> kube-addon-manager <==
INFO: == Reconciling with addon-manager label ==
error: no objects passed to apply
deployment.apps/kubernetes-dashboard unchanged
error: no objects passed to apply
service/error: no objects passed to apply
kubernetes-dashboarerror: no objects passed to apply
d unchanged
error: no objects passed to apply
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T10:55:00+00:00 ==
INFO: Leader is minikube
INFO: == Kubernetes addon ensure completed at 2019-07-17T10:55:59+00:00 ==
INFO: == Reconciling with deprecated label ==
INFO: == Reconciling with addon-manager label ==
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T10:56:01+00:00 ==
INFO: Leader is minikube
INFO: == Kubernetes addon ensure completed at 2019-07-17T10:56:59+00:00 ==
INFO: == Reconciling with deprecated label ==
INFO: == Reconciling with addon-manager label ==
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T10:57:00+00:00 ==
INFO: Leader is minikube
INFO: == Kubernetes addon ensure completed at 2019-07-17T10:58:00+00:00 ==
INFO: == Reconciling with deprecated label ==
INFO: == Reconciling with addon-manager label ==
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T10:58:01+00:00 ==
INFO: Leader is minikube
INFO: == Kubernetes addon ensure completed at 2019-07-17T10:58:59+00:00 ==
INFO: == Reconciling with deprecated label ==
INFO: == Reconciling with addon-manager label ==
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T10:59:01+00:00 ==
INFO: Leader is minikube
INFO: == Kubernetes addon ensure completed at 2019-07-17T10:59:59+00:00 ==
INFO: == Reconciling with deprecated label ==
INFO: == Reconciling with addon-manager label ==
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
serviceaccount/storage-provisioner unchanged
INFO: == Kubernetes addon reconcile completed at 2019-07-17T11:00:00+00:00 ==

==> kubelet <==
-- Logs begin at Tue 2019-07-16 08:58:29 UTC, end at Wed 2019-07-17 11:00:41 UTC. --
....
Jul 17 11:00:20 minikube kubelet[2974]: E0717 11:00:20.149210    2974 pod_workers.go:190] Error syncing pod ab5f132b-a7a1-11e9-8d70-0800277190c9 ("kubernetes-dashboard-d7c9687c7-4m27p_kube-system(ab5f132b-a7a1-11e9-8d70-0800277190c9)"), skipping: failed to "StartContainer" for "kubernetes-dashboard" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kubernetes-dashboard pod=kubernetes-dashboard-d7c9687c7-4m27p_kube-system(ab5f132b-a7a1-11e9-8d70-0800277190c9)"
Jul 17 11:00:33 minikube kubelet[2974]: E0717 11:00:33.148727    2974 pod_workers.go:190] Error syncing pod ab5f132b-a7a1-11e9-8d70-0800277190c9 ("kubernetes-dashboard-d7c9687c7-4m27p_kube-system(ab5f132b-a7a1-11e9-8d70-0800277190c9)"), skipping: failed to "StartContainer" for "kubernetes-dashboard" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kubernetes-dashboard pod=kubernetes-dashboard-d7c9687c7-4m27p_kube-system(ab5f132b-a7a1-11e9-8d70-0800277190c9)"

==> kubernetes-dashboard <==
2019/07/17 10:56:16 Starting overwatch
2019/07/17 10:56:16 Using in-clusterpanic: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource "secrets" in API group "" in the namespace "kube-system"
 config to connect to apiserv
ger
oroutine 1 [running]:
2019/07/1github.com/kubernetes/dash7 10:56:16 Usboard/src/apping service account token for csrf sign/backend/authi/njgw
e.(*rsaKeyHolder).init(0xc42019/07/17 10:56:16 Successful initial request to the apiserver,20104320)
 version: v1.14.3
	/home/travis/2019/07/17 10build/kuberne:56:16 Generating JWE encrtes/dashboardyption key
/.tmp/backend/src/github.com/kuber2019/07/17 10:56:16 New synnetes/dashboard/src/app/bachronizer has been registeckend/auth/jwe/keyholder.gred: kuberneto:131 +0x35e
es-dashboard-key-holdergithub.com/kubernetes/dashboard/src/ap-kube-system. Starting
p/back2019/07/17 10:56:16 Starting secret syend/aunchronizer for kubernetes-dashboarth/jwe.NewRSAKeyHolder(0x1367500, 0xc420082180, 0xc420082180, 0d-key-holder in x1213a6e)
namespace kube-system
2019/07/17 10:56:16 Synchronizer kube	rnetes-dashboard-key-h/home/travis/build/kubernetes/dasholder-kubeboard/.tmp/backend/-system exited with error: unexpected object: &Secret{ObjectMsrc/github.com/kuberneteseta:k8s_io_apima/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
chinery_pkg_apis_meta_v1.main.initAuthManager(0x13663e0, ObjectMeta{Name:,GenerateName:,N0xc42033a240, 0xc4204cfcd8, 0x1)amespace:,SelfLink:,UID:,Resource
Version:,G	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.comeneration:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,},Data:map[string][]byte{},Type:,StringData:map[string]st/kubernetes/dashboring{},}
2019/07/17 10:56:16 Storing eard/src/app/backend/dashboard.go:185 +0x12c
ncryption key in a secret
main.main()
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

$kubectl get pods -n kube-system
NAME                                   READY   STATUS             RESTARTS   AGE
coredns-fb8b8dccf-99xtx                1/1     Running            4          26h
coredns-fb8b8dccf-r97r8                1/1     Running            4          26h
etcd-minikube                          1/1     Running            2          26h
kube-addon-manager-minikube            1/1     Running            3          26h
kube-apiserver-minikube                1/1     Running            2          26h
kube-controller-manager-minikube       1/1     Running            1          26h
kube-proxy-qg9gm                       1/1     Running            2          26h
kube-scheduler-minikube                1/1     Running            2          26h
kubernetes-dashboard-d7c9687c7-4m27p   0/1     CrashLoopBackOff   327        26h
storage-provisioner                    1/1     Running            8          26h

kubectl logs kubernetes-dashboard-d7c9687c7-4m27p -n kube-system
2019/07/17 11:01:23 Starting overwatch
2019/07/17 11:01:23 Using in-cluster config to connect to apiserver
2019/07/17 11:01:23 Using service account token for csrf signing
2019/07/17 11:01:23 Successful initial request to the apiserver, version: v1.14.3
2019/07/17 11:01:23 Generating JWE encryption key
2019/07/17 11:01:23 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2019/07/17 11:01:23 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2019/07/17 11:01:23 Synchronizer kubernetes-dashboard-key-holder-kube-system exited with error: unexpected object: &Secret{ObjectMeta:k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta{Name:,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,},Data:map[string][]byte{},Type:,StringData:map[string]string{},}
2019/07/17 11:01:23 Storing encryption key in a secret
panic: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource "secrets" in API group "" in the namespace "kube-system"

goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.(*rsaKeyHolder).init(0xc42000b1a0)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:131 +0x35e
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.NewRSAKeyHolder(0x1367500, 0xc4200ce4e0, 0xc4200ce4e0, 0x1213a6e)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
main.initAuthManager(0x13663e0, 0xc4200822a0, 0xc4204b7cd8, 0x1)
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:185 +0x12c
main.main()
	/home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

[unlikezy]

this work for me:

$kubectl create clusterrolebinding kube-system-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
clusterrolebinding.rbac.authorization.k8s.io/kube-system-cluster-admin created

NAME                                   READY   STATUS             RESTARTS   AGE
coredns-fb8b8dccf-99xtx                1/1     Running            4          27h
coredns-fb8b8dccf-r97r8                1/1     Running            4          27h
etcd-minikube                          1/1     Running            2          27h
kube-addon-manager-minikube            1/1     Running            3          27h
kube-apiserver-minikube                1/1     Running            2          27h
kube-controller-manager-minikube       1/1     Running            1          26h
kube-proxy-qg9gm                       1/1     Running            2          27h
kube-scheduler-minikube                1/1     Running            2          27h
kubernetes-dashboard-d7c9687c7-ttj5b   0/1     CrashLoopBackOff   9          21m
storage-provisioner                    1/1     Running            8          27h

$kubectl delete pod kubernetes-dashboard-d7c9687c7-ttj5b -n kube-system
pod "kubernetes-dashboard-d7c9687c7-ttj5b" deleted

$kubectl get pods -n kube-system
NAME                                   READY   STATUS    RESTARTS   AGE
coredns-fb8b8dccf-99xtx                1/1     Running   4          27h
coredns-fb8b8dccf-r97r8                1/1     Running   4          27h
etcd-minikube                          1/1     Running   2          27h
kube-addon-manager-minikube            1/1     Running   3          27h
kube-apiserver-minikube                1/1     Running   2          27h
kube-controller-manager-minikube       1/1     Running   1          26h
kube-proxy-qg9gm                       1/1     Running   2          27h
kube-scheduler-minikube                1/1     Running   2          27h
kubernetes-dashboard-d7c9687c7-m6s7n   1/1     Running   0          14s
storage-provisioner                    1/1     Running   8          27h

[algorni]

Exact same issue.

The solution from @unlikezy works for me as well.

FYI i was running minkube v1.3.1 on a VM Ubuntu Server 18.04.3 LTS running minikube with --vm-driver=none

[sunilkumarvytla]

How should I make it work on deploying the K8s dashboard through a Helm chart..? I am getting the same error. This is my values file

serviceAccount:
     name: dashboard-full-admin

kubernetes-dashboard:
  rbac:
    create: true
    clusterAdminRole: false
    clusterReadOnlyRole: true

  serviceAccount:
    create: false```





Below is the error
```panic: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot create resource "secrets" in API group "" in the namespace "kube-system"

goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.(*rsaKeyHolder).init(0xc4204529a0)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:131 +0x35e
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.NewRSAKeyHolder(0x1367500, 0xc420429e00, 0xc420429e00, 0x1213a6e)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
main.initAuthManager(0x13663e0, 0xc420269b00, 0xc4202d5cd8, 0x1)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:185 +0x12c
main.main()
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

[sellomkantjwa]

@sunilkumarvytla Did you manage to resolve this?

[abdennour]

it will work with helm chart using this value:

rbac:
  clusterAdminRole: true

However granting cluster admin access is very risky

[abdennour]

After realizing that the chart stable/kubernetes-dashboard is outdated, I found that you need to apply this manifest :

kubectl apply -f \
   https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml

However, this is not acceptable to migrate from helm chart to hard coded manifests..
After some search, the related chart is now under this Git repo subfolder
No more stable repo, but use the following:

helm repository add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm install kubernetes-dashboard/kubernetes-dashboard --name my-release

Good luck!

By the way:

• even the image repository is no more k8s.gcr.io/kubernetes-dashboard-amd64
  Instead, it is now under dockerhub kubernetesui/dashboard
• There is a sidecar for metrics scrapper which not defined in the stable chart.

Good luck!