K
Q

Question

which token to use for kubernetes-dashboard login with Google cloud platform

1/16/2018

I'm using Google cloud platform and Kubernetes.

I'm trying to find out which token should I use in order to login to the dashboard and have enough permissions to do as I please.

I created a 3-node Kubernetes 1.8.6 cluster on Google Cloud Platform

my developer desktop is a Mac Pro (late 2013) on macos high sierra 10.13.2 with google-cloud-sdk and kubernetes-cli installed from homebrew.

~ ❯❯❯ kubectl version                                                                                                         ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}

and

~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28

I read in the docs that it's not safe to create an admin user for the dashboard, unfortunately the all permissions to the dashboard pod confuses me a bit.

when I execute kubectl get secrets -n kube-system and decode one of the tokens with kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

and use that to login using the kubectl web proxy I started with the command kubectl proxy, I get lots of permissions errors when I try to view any of the pages in the dashboard web interface. I probably don't use the proper token.. or I need to create a new token.

Is there a way to view the permissions of the tokens so I'll know before hand what I'm actually trying to login with?

update

so I ran kubectl to get all the secret tokens in kube-system namespace:

~ ❯❯❯ kubectl get secrets -n kube-system
NAME                                     TYPE                                  DATA      AGE
attachdetach-controller-token-4pp92      kubernetes.io/service-account-token   3         10m
certificate-controller-token-bqnjp       kubernetes.io/service-account-token   3         10m
cloud-provider-token-ltbnh               kubernetes.io/service-account-token   3         10m
cronjob-controller-token-84cl9           kubernetes.io/service-account-token   3         10m
daemon-set-controller-token-ncz5r        kubernetes.io/service-account-token   3         10m
default-token-fpmht                      kubernetes.io/service-account-token   3         10m
deployment-controller-token-4xc8k        kubernetes.io/service-account-token   3         10m
disruption-controller-token-9gdqg        kubernetes.io/service-account-token   3         10m
endpoint-controller-token-gr29m          kubernetes.io/service-account-token   3         10m
event-exporter-sa-token-6klz5            kubernetes.io/service-account-token   3         10m
fluentd-gcp-token-s2kk4                  kubernetes.io/service-account-token   3         10m
generic-garbage-collector-token-tqbqz    kubernetes.io/service-account-token   3         10m
heapster-token-7pgmr                     kubernetes.io/service-account-token   3         10m
horizontal-pod-autoscaler-token-74v57    kubernetes.io/service-account-token   3         10m
job-controller-token-2skhj               kubernetes.io/service-account-token   3         10m
kube-dns-autoscaler-token-wc9gz          kubernetes.io/service-account-token   3         10m
kube-dns-token-nx2tf                     kubernetes.io/service-account-token   3         10m
kubernetes-dashboard-certs               Opaque                                0         10m
kubernetes-dashboard-key-holder          Opaque                                2         9m
kubernetes-dashboard-token-zxp7n         kubernetes.io/service-account-token   3         10m
namespace-controller-token-tz54r         kubernetes.io/service-account-token   3         10m
node-controller-token-m2w7k              kubernetes.io/service-account-token   3         10m
persistent-volume-binder-token-6sfkt     kubernetes.io/service-account-token   3         10m
pod-garbage-collector-token-zqxhd        kubernetes.io/service-account-token   3         10m
replicaset-controller-token-8n6b7        kubernetes.io/service-account-token   3         10m
replication-controller-token-nb2tw       kubernetes.io/service-account-token   3         10m
resourcequota-controller-token-blhfg     kubernetes.io/service-account-token   3         10m
route-controller-token-c5ns6             kubernetes.io/service-account-token   3         10m
service-account-controller-token-zptxc   kubernetes.io/service-account-token   3         10m
service-controller-token-75hht           kubernetes.io/service-account-token   3         10m
statefulset-controller-token-fhpk8       kubernetes.io/service-account-token   3         10m
ttl-controller-token-5vwln               kubernetes.io/service-account-token   3         10m

then I executed

kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

and used that token to login.

after login I get the following messages:

warning
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
close
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"

any ideas why ?

-- ufk

gcp

kubectl

kubernetes

kubernetes-dashboard

5 Answers

1/16/2018

All secrets in kube-system namespace have full access. You can create new secrets, need grant this access

-- Arslanbekov

Source: StackOverflow

2/21/2018

After you connect the cluster with gcloud container clusters get-credentials. Use the following command to get the access token of current-context

kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '$1=="access-token:"{print $2}'

-- Minos Pong

Source: StackOverflow

4/24/2018

More reliable alternative to this answer is using jsonpath:

kubectl config view -o jsonpath="{.users[?(@.name == \"$(kubectl config current-context)\")].user.auth-provider.config.access-token}"

-- Borek Bernard

Source: StackOverflow

5/4/2018

gcloud doesn't put the credentials into the kubeconfig but keeps them in its own files.

With GKE you can get a token for your GCloud account - much nicer than repurposing one from a Service Account.

Assuming that you have jq installed you can get your personal access token like this:

gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token

-- eastlondoner

Source: StackOverflow

2/12/2018

I experienced the same issue - in my case the solution was to get the access token from kubectl config view:

[...]
users:
- name: <YOUR CLUSTER NAME>
  user:
    auth-provider:
      config:
        access-token: <YOUR ACCESS TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
        expiry: 2018-02-12T13:36:51Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
[...]

-- Marian Saeger

Source: StackOverflow

KQ

which token to use for kubernetes-dashboard login with Google cloud platform

update

Similar Questions

5 Answers

K
Q