Jay Taylor's notes

back to listing index

How to create admin user in Kubernetes to login to Dashboard

[web search]
Original source (medium.com)
Tags: howto api kubernetes medium.com
Clipped on: 2019-06-13

How to create admin user in Kubernetes to login to Dashboard

Image (Asset 1/13) alt=Providing developers and businesses a reliable, easy-to-use cloud computing platform of virtual servers (Droplets)…m.do.co

Before we start to make things even easier let’s create a simple alias. I called my alias “kube” and it will be referring the –kubeconfig at all times. I’ll be using it throughout this article so adjust your environment to your liking so you can follow along. Here’s my alias:

[kstaykov@manja ~]$ alias kube
alias kube='kubectl --kubeconfig=/home/kstaykov/Downloads/k8s-1-11-1-do-1-lon1-1540329911350-kubeconfig.yaml'
[kstaykov@manja ~]$

Now it’s time to setup your service account. Use this command:

kube create -n kube-system serviceaccount admin

Notice that I created my service account in the kube-system namespace. If you want to know what namespaces you have you can get them using:

kube get namespaces

Now let’s put on a very permissive role binding setting for our cluster.

kube create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
--user=admin \
--user=kubelet \
--group=system:serviceaccounts

Note that this policy will allow for ALL service accounts to act as administrators. Bare it in mind and don’t use this for production service. The concept of this article is to make a simple testing cluster.

Now it’s time to get the configuration of our user.

[kstaykov@manja ~]$ kube -n kube-system get serviceaccount admin -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-10-28T08:45:31Z
name: admin
namespace: kube-system
resourceVersion: "463455"
selfLink: /api/v1/namespaces/kube-system/serviceaccounts/admin
uid: d3adfa7a-da8d-11e8-aeb9-622f6909f16e
secrets:
- name: admin-token-ndrwp
[kstaykov@manja ~]$

We can see that there is a secret here. Let’s grab it:

[kstaykov@manja ~]$ kube -n kube-system get secret admin-token-ndrwp -o yaml
apiVersion: v1
data:
ca.crt: <removed>
token: <removed>
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: d3adfa7a-da8d-11e8-aeb9-622f6909f16e
creationTimestamp: 2018-10-28T08:45:31Z
name: admin-token-ndrwp
namespace: kube-system
resourceVersion: "463454"
selfLink: /api/v1/namespaces/kube-system/secrets/admin-token-ndrwp
uid: d3afa9e0-da8d-11e8-aeb9-622f6909f16e
type: kubernetes.io/service-account-token
[kstaykov@manja ~]$

I removed the ca.crt and token data but you should be able to see some big strings there. Notice that the token is base64 encoded. Use a command such as this to decode it:

echo "put-token-here" | base64 --decode

Now you should have a different string and that’s your true token. Keep this private as it has complete access over your cluster! Time to use it to login to the Dashboard. Open a proxy to the cluster:

kube proxy

This will open port 8001 on your machine and using it you can proxy to the API of the cluster. It’s a tunnel of a sort. Go to this URI:

http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Login using token authentication and use the token you decoded.

There you go! The Kubernetes Dashboard.

Image (Asset 2/13) alt=
  • Image (Asset 3/13) alt=
    Related reads
  • Persistent Data for StatefulSets with Containership.io Kubernetes on DigitalOcean
    Related reads
    Kubernetes Ingress Controllers: How to choose the right one: Part 1
    Image (Asset 5/13) alt= “message”: “services \”https:kubernetes-dashboard:\” is forbidden: User \”system:anonymous\” cannot get resource \”services/proxy\” in API group \”\” in the namespace \”kube-system\””,
     “reason”: “Forbidden”…