How to sign in kubernetes dashboard?

Question

I just upgraded kubeadm and kubelet to v1.8.0. And install the dashboard following the official document.

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

After that, I started the dashboard by running

$ kubectl proxy --address="192.168.0.101" -p 8001 --accept-hosts='^*$'

Then fortunately, I was able to access the dashboard thru http://192.168.0.101:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

I was redirected to a login page like this which I had never met before. It looks like that there are two ways of authentication.

I tried to upload the /etc/kubernetes/admin.conf as the kubeconfig but got failed. Then I tried to use the token I got from kubeadm token list to sign in but failed again.

The question is how I can sign in the dashboard. It looks like they added a lot of security mechanism than before. Thanks.

Answer 1

TL;DR

To get the token in a single oneliner:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'

This assumes that your ~/.kube/config is present and valid. And also that kubectl config get-contexts indicates that you are using the correct context (cluster and namespace) for the dashboard you are logging into.

Explanation

I derived this answer from what I learned from @silverfox's answer. That is a very informative write up. Unfortunately it falls short of telling you how to actually put the information into practice. Maybe I've been doing DevOps too long, but I think in shell. It's much more difficult for me to learn or teach in English.

Here is that oneliner with line breaks and indents for readability:

kubectl -n kube-system describe secret $(
  kubectl -n kube-system get secret | \
  awk '/^deployment-controller-token-/{print $1}'
) | \
awk '$1=="token:"{print $2}'

There are 4 distinct commands and they get called in this order:

• Line 2 - This is the first command from @silverfox's Token section.
• Line 3 - Print only the first field of the line beginning with deployment-controller-token- (which is the pod name)
• Line 1 - This is the second command from @silverfox's Token section.
• Line 5 - Print only the second field of the line whose first field is "token:"

Answer 2

If you don't want to grant admin permission to dashboard service account, you can create cluster admin service account.

$ kubectl create serviceaccount cluster-admin-dashboard-sa
$ kubectl create clusterrolebinding cluster-admin-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=default:cluster-admin-dashboard-sa

And then, you can use the token of just created cluster admin service account.

$ kubectl get secret | grep cluster-admin-dashboard-sa
cluster-admin-dashboard-sa-token-6xm8l   kubernetes.io/service-account-token   3         18m
$ kubectl describe secret cluster-admin-dashboard-sa-token-6xm8l

I quoted it from giantswarm guide - https://docs.giantswarm.io/guides/install-kubernetes-dashboard/

Answer 3

Combining two answers: 49992698 and 47761914 :

# Create service account
kubectl create serviceaccount -n kube-system cluster-admin-dashboard-sa

# Bind ClusterAdmin role to the service account
kubectl create clusterrolebinding -n kube-system cluster-admin-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=kube-system:cluster-admin-dashboard-sa

# Parse the token
TOKEN=$(kubectl describe secret -n kube-system $(kubectl get secret -n kube-system | awk '/^cluster-admin-dashboard-sa-token-/{print $1}') | awk '$1=="token:"{print $2}')

Answer 4

You need to follow these steps before the token authentication

1. Create a Cluster Admin service account

   kubectl create serviceaccount dashboard -n default
   

2. Add the cluster binding rules to your dashboard account

   kubectl create clusterrolebinding dashboard-admin -n default --clusterrole=cluster-admin --serviceaccount=default:dashboard
   

3. Get the secret token with this command

   kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
   

4. Choose token authentication in the Kubernetes dashboard login page

5. Now you can able to login

Answer 5

A self-explanatory simple one-liner to extract token for kubernetes dashboard login.

kubectl describe secret -n kube-system | grep deployment -A 12

Copy the token and paste it on the kubernetes dashboard under token sign in option and you are good to use kubernetes dashboard

Answer 6

All the previous answers are good to me. But a straight forward answer on my side would come from https://github.com/kubernetes/dashboard/wiki/Creating-sample-user#bearer-token. Just use kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}'). You will have many values for some keys (Name, Namespace, Labels, ..., token). The most important is the token that corresponds to your name. copy that token and paste it in the token box. Hope this helps.

Answer 7

You can get the token:

kubectl describe secret -n kube-system | grep deployment -A 12

Take the Token value which is something like

token:    eyJhbGciOiJSUzI1NiIsI...

Use port-forward to /kubernetes-dashboard:

kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8080:443 --address='0.0.0.0'

Access the Site Using:

https://<IP-of-Master-node>:8080/

Provide the Token when asked. Note the https on the URL. Tested site on Firefox because With new Updates Google Chrome has become strict of not allowing traffic from unknown SSL certificates.

Also note, the 8080 port should be opened in the VM of Master Node.

Answer 8

Download https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml

add

type: NodePort for the Service

And then run this command:

kubectl apply -f kubernetes-dashboard.yaml

Find the exposed port with the command :

kubectl get services -n kube-system

You should be able to get the dashboard at http://hostname:exposedport/ with no authentication

Answer 9

The skip login has been disabled by default due to security issues. https://github.com/kubernetes/dashboard/issues/2672

in your dashboard yaml add this arg

- --enable-skip-login

to get it back

Answer 10

An alternative way to obtain the kubernetes-dashboard token:

kubectl -n kubernetes-dashboard get secret -o=jsonpath='{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="kubernetes-dashboard")].data.token}' | base64 --decode

Explanation:

1. Get all the secret in the kubernetes-dashboard name space.
2. Look at the items array, and match for: metadata -> annotations -> kubernetes.io/service-account.name == kubernetes-dashboard
3. Print data -> token
4. Decode content. (If you perform kubectl describe secret, the token is already decoded.)