K
Q

How to access Kubernetes Dashboard as admin with userid/passwd outside cluster?

2/12/2018

Desired Outcome: I want to set up a CSV file with userids and passwords and access Kubernetes Dashboard as a full admin, preferably from anywhere with a browser. I am just learning kubernetes and want to experiment with cluster management, deployments, etc. This is just for learning and is not a Production Setup. I am using Kubernetes version 1.9.2 and created a 3-machine cluster (master and 2 workers)

Background/What I've done so far:
I read the Dashboard README and I created an admin-user and admin-role-binding with the files shown below. I can then use the kubectl describe secret command to get the admin user's token. I run kubectl proxy on the cluster master and authenticate to the Dashboard with that token using a browser running on the cluster master. All of this works.

admin-user.yaml:

apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system

admin-role-binding.yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects:

  • kind: ServiceAccount name: admin-user namespace: kube-system

I can login to the dashboard as admin IF:

  1. I run kubectl proxy
  2. I access the dashboard with a browser where I ran command (1)
  3. I use the "token" option to login and paste the admin user's token which I get using the kubectl describe secret command.

What I'd like to do:

  1. Set up a CSV file with userids/passwords
  2. Login as admin with userid/password
  3. Be able to login from anywhere

To that end, I created a CSV file, e.g. /home/chris/myusers.txt:

mypasswd,admin,42

I did not know what value to use for id so I just punted with 42.

I then edited the file:
/etc/kubernetes/manifests/kube-apiserver.yaml and adding this line:
--basic-auth-file=/home/chris/myusers.txt

and then restarting kubelet:
sudo systemctl restart kubelet

However when I did that, my cluster stopped working and I couldn't access the Dashboard so I reverted back where I still use the admin user's token.

My questions are:

  1. Is it possible to do what I'm trying to do here?
  2. What id values do I use in the user CSV file? What groups would I specify?
  3. What other changes do I need to make to get all of this to work? If I modify the apiserver manifest to use a file with userids/passwords, does that mess up the rest of the configuration for my cluster?
-- ChrisRTech
kubernetes
kubernetes-security

Similar Questions

How to refresh cluster access-token in GKE
aws kops create cluster errors out as InvalidClientTokenId
NGINX Plus container throwing error as nginxplus executable not found
Multiple Host Kubernetes Ingress Controller

1 Answer

7/23/2019

You can try this one it is working for me. Taking reference from here.

  volumeMounts:
    - mountPath: /etc/kubernetes/auth.csv
      name: kubernetes-dashboard
      readOnly: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/auth.csv
    name: kubernetes-dashboard

How to config simple login/pass authentication for kubernetes desktop UI

-- er.roshan
Source: StackOverflow