In this guide, we will find out how to create a new user using Service Account mechanism of Kubernetes, grant this user admin permissions and log in to Dashboard using bearer token tied to this user.
Copy provided snippets to some xxx.yaml file and use kubectl apply -f xxx.yaml to create them.
Create Service Account with name admin-user in namespace kube-system first.
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
From kubernetes v1.8 and later:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
Open Dashboard:
$ kubectl cluster-info
Kubernetes master is running at https://192.168.2.71:6443
KubeDNS is running at https://192.168.2.71:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
kubernetes-dashboard is running at https://192.168.2.71:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
we can see dashboard is running at the link above.
when access to this dashboard, we see the login window:
we take the token by the following command:
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Name: admin-user-token-rwnr5
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=admin-user
kubernetes.io/service-account.uid=b0079867-b4f1-11e8-a79f-525400eaf486
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1090 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXJ3bnI1Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMDA3OTg2Ny1iNGYxLTExZTgtYTc5Zi01MjU0MDBlYWY0ODYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.T0hCh7uQbt9j2xYj427QgMLO8zD_qW-nHVscMCXi8wwMtdsSjdfoh9bGkOa8OPS6rQNz0St5hQJie_Boes8F10FcZif3nWzGLJ7lWI32WHPMNBSF-EVNUecOj5FvVGRiNua_ruXjPgHqsyZDNc-iQySfnqy5ommPKinOTUL8fqItkjsVa8XANJ2tRHP5sSlSpvHG1_Acyf2G-JIwJuNyvhuOlgWl5MAYAhT38yrnkkQrN0zaIl9qd5PuS_43abDVKrOxT6sQIY5GRQvPHkXcgAfrOmOpSbcSQDbDxHaAnLVE2-h-7Vba1UCnpbrr_o-K4YV_jJCqRqe0VKu1ZjlfCw
copy token and paste to enter token. Click sign-in and you are logged in as admin