190

I just upgraded kubeadm and kubelet to v1.8.0. And install the dashboard following the official document.

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

After that, I started the dashboard by running

$ kubectl proxy --address="192.168.0.101" -p 8001 --accept-hosts='^*$'

Then fortunately, I was able to access the dashboard thru http://192.168.0.101:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

I was redirected to a login page like this which I had never met before. enter image description here It looks like that there are two ways of authentication.

I tried to upload the /etc/kubernetes/admin.conf as the kubeconfig but got failed. Then I tried to use the token I got from kubeadm token list to sign in but failed again.

The question is how I can sign in the dashboard. It looks like they added a lot of security mechanism than before. Thanks.

ichbinblau
  • 4,507
  • 5
  • 23
  • 36
  • 9
    I don't see a programming question here. Try serverfault.com instead. – Jolta Oct 10 '17 at 10:18
  • 1
    If you're NOT on localhost, you may be required to use https only, otherwise login form will failed silently (without err msg). Details: https://stackoverflow.com/questions/53957413/how-to-access-kubernetes-dashboard-from-outside-network – Putnik May 16 '20 at 11:47
  • 2
    You need to generate token, follow this guide - https://jhooq.com/setting-up-kubernetes-dashboard/ – Rahul Wagh Jul 15 '20 at 09:57
  • 7
    @Jolta Devops is now a programming activity thanks to kubernetes, you'll to face it ;) – Fabien Quatravaux Jul 20 '20 at 09:14

14 Answers14

244

As of release 1.7 Dashboard supports user authentication based on:

Dashboard on Github

Token

Here Token can be Static Token, Service Account Token, OpenID Connect Token from Kubernetes Authenticating, but not the kubeadm Bootstrap Token.

With kubectl, we can get an service account (eg. deployment controller) created in kubernetes by default.

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4tZnJzcWoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjQ3MzU5NTgtYWU5Zi0xMWU3LTkwZDUtMDI0MjBhYzAwMDAyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.OqFc4CE1Kh6T3BTCR4XxDZR8gaF1MvH4M3ZHZeCGfO-sw-D0gp826vGPHr_0M66SkGaOmlsVHmP7zmTi-SJ3NCdVO5viHaVUwPJ62hx88_JPmSfD0KJJh6G5QokKfiO0WlGN7L1GgiZj18zgXVYaJShlBSz5qGRuGf0s1jy9KOBt9slAN5xQ9_b88amym2GIXoFyBsqymt5H-iMQaGP35tbRpewKKtly9LzIdrO23bDiZ1voc5QZeAZIWrizzjPY5HPM1qOqacaY9DcGc7akh98eBJG_4vZqH2gKy76fMf0yInFTeNKr45_6fWt8gRM77DQmPwb3hbrjWXe1VvXX_g

Kubeconfig

The dashboard needs the user in the kubeconfig file to have either username & password or token, but admin.conf only has client-certificate. You can edit the config file to add the token that was extracted using the method above.

$ kubectl config set-credentials cluster-admin --token=bearer_token

Alternative (Not recommended for Production)

Here are two ways to bypass the authentication, but use for caution.

Deploy dashboard with HTTP

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml

Dashboard can be loaded at http://localhost:8001/ui with kubectl proxy.

Granting admin privileges to Dashboard's Service Account

$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
EOF

Afterwards you can use Skip option on login page to access Dashboard.

If you are using dashboard version v1.10.1 or later, you must also add --enable-skip-login to the deployment's command line arguments. You can do so by adding it to the args in kubectl edit deployment/kubernetes-dashboard --namespace=kube-system.

Example:

      containers:
      - args:
        - --auto-generate-certificates
        - --enable-skip-login            # <-- add this line
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
200_success
  • 7,286
  • 1
  • 43
  • 74
silverfox
  • 5,254
  • 1
  • 21
  • 26
  • 5
    Can you give us an example how to create a user then login with token ? I still don't know how to use token act like an user. – xren Oct 15 '17 at 13:25
  • See [Static Token File](https://kubernetes.io/docs/admin/authentication/#static-token-file) in Kubernetes Authenticating – silverfox Oct 15 '17 at 13:37
  • I'm using this for my home server – trallnag Jun 04 '21 at 11:40
  • 2
    This allows me to skip, but doesn't give me authorization to see anything. `is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard"` – Matthew Vine Dec 30 '21 at 01:27
  • The URL https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml returns a 404 code. Is there a new one? – B. Stucke Jan 26 '22 at 19:51
  • @B.Stucke https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/alternative.yaml – Arik Sep 01 '22 at 20:44
144

TL;DR

To get the token in a single oneliner:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'

This assumes that your ~/.kube/config is present and valid. And also that kubectl config get-contexts indicates that you are using the correct context (cluster and namespace) for the dashboard you are logging into.

Explanation

I derived this answer from what I learned from @silverfox's answer. That is a very informative write up. Unfortunately it falls short of telling you how to actually put the information into practice. Maybe I've been doing DevOps too long, but I think in shell. It's much more difficult for me to learn or teach in English.

Here is that oneliner with line breaks and indents for readability:

kubectl -n kube-system describe secret $(
  kubectl -n kube-system get secret | \
  awk '/^deployment-controller-token-/{print $1}'
) | \
awk '$1=="token:"{print $2}'

There are 4 distinct commands and they get called in this order:

  • Line 2 - This is the first command from @silverfox's Token section.
  • Line 3 - Print only the first field of the line beginning with deployment-controller-token- (which is the pod name)
  • Line 1 - This is the second command from @silverfox's Token section.
  • Line 5 - Print only the second field of the line whose first field is "token:"
Bruno Bronosky
  • 66,273
  • 12
  • 162
  • 149
  • 2
    Is there a powershell equivalent to awk? – duct_tape_coder Feb 28 '19 at 19:21
  • 1
    @duct_tape_coder just kubectl -n kube-system get secrets and find the tokenm with name deployment-controller-token-SOMEHASH, afterwards just kubectl -n kube-system describe secret deployment-controller-token-SOMEHASH. That's what the awk does. – qubits Mar 03 '19 at 09:56
  • 2
    Great answer. To take it one more step: ```kubectl describe secret $(kubectl get secret | awk '/^dashboard-token-/{print $1}') | awk '$1=="token:"{print $2}'``` Or push right to your clipboard ```kubectl describe secret $(kubectl get secret | awk '/^dashboard-token-/{print $1}') | awk '$1=="token:"{print $2}' | xclip -selection clipboard -i``` – javajon Mar 29 '19 at 21:21
  • 2
    @duct_tape_coder `kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | sls admin-user | ForEach-Object { $_ -Split '\s+' } | Select -First 1)` from https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md – Putnik May 16 '20 at 09:46
  • TLDR: `The connection to the server localhost:8080 was refused - did you specify the right host or port?` – Snowcrash Oct 08 '20 at 12:10
  • Single call to kubectl and leveraging jq and base64: kubectl -n kube-system get secret -o json | jq -r '.items[] | select(.metadata.name | startswith("deployment-controller-token")) | .data.token' | base64 --decode – timvw Jan 21 '22 at 10:11
57

If you don't want to grant admin permission to dashboard service account, you can create cluster admin service account.

$ kubectl create serviceaccount cluster-admin-dashboard-sa
$ kubectl create clusterrolebinding cluster-admin-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=default:cluster-admin-dashboard-sa

And then, you can use the token of just created cluster admin service account.

$ kubectl get secret | grep cluster-admin-dashboard-sa
cluster-admin-dashboard-sa-token-6xm8l   kubernetes.io/service-account-token   3         18m
$ kubectl describe secret cluster-admin-dashboard-sa-token-6xm8l

I quoted it from giantswarm guide - https://docs.giantswarm.io/guides/install-kubernetes-dashboard/

SunghoMoon
  • 1,329
  • 1
  • 15
  • 21
  • 6
    This one worked just fine for me while the accepted answer was sign in me but with some authorisation errors. – ZedTuX May 11 '18 at 06:28
  • 3
    Note that this command gives the service account a lot of rights and might not be advisable in a production environment. – X. Wang Jun 07 '18 at 05:51
  • 4
    might wanna add the serviceaccount under kube-system also since this is where dashboard lives – atomaras Aug 10 '18 at 05:40
  • Worked for me! i was exposing the service with port 8001 and used a SSH tunnel to access from my local machine. – Anuradha Fernando Sep 17 '19 at 07:53
  • 1
    This does not work, on kubectl 1.24.1 I'm trying "kubectl get secret -A" and I can't see anything with "cluster-admin-dashboard-sa" – konradk May 29 '22 at 15:07
  • It changed on 1.24, it is no longer automatically generated. I've tested this guide https://itnext.io/big-change-in-k8s-1-24-about-serviceaccounts-and-their-secrets-4b909a4af4e0 with yaml file and it worked – konradk May 29 '22 at 15:20
  • does not work on latest version 1.25.4 – avadhut007 Dec 01 '22 at 09:36
29

Combining two answers: 49992698 and 47761914 :

# Create service account
kubectl create serviceaccount -n kube-system cluster-admin-dashboard-sa

# Bind ClusterAdmin role to the service account
kubectl create clusterrolebinding -n kube-system cluster-admin-dashboard-sa \
  --clusterrole=cluster-admin \
  --serviceaccount=kube-system:cluster-admin-dashboard-sa

# Parse the token
TOKEN=$(kubectl describe secret -n kube-system $(kubectl get secret -n kube-system | awk '/^cluster-admin-dashboard-sa-token-/{print $1}') | awk '$1=="token:"{print $2}')
T0xicCode
  • 4,583
  • 2
  • 37
  • 50
Abdennour TOUMI
  • 87,526
  • 38
  • 249
  • 254
  • It can happen that secret is located in namespace other than kube-system, so one might want to omit "-n kube-system" from the above. – Muhamed Huseinbašić Oct 01 '20 at 07:39
  • 1
    I get a bunch of error messages in the Dashboard, e.g. `namespaces is forbidden: User "system:serviceaccount:test:cluster-admin-dashboard-sa" cannot list resource "namespaces" in API group "" at the cluster scope` for all the different resources – isapir Jan 15 '21 at 02:23
  • 1
    @isapir the namespace needs to be the same across the board. The edited answer now adds the `kube-system` namespace on all commands, which works. – T0xicCode Feb 13 '21 at 20:26
  • @T0xicCode Still doesn't work. I see no data and get messages like the following: `namespaces is forbidden: User "system:serviceaccount:kube-system:cluster-admin-dashboard-sa" cannot list resource "namespaces" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "cluster-admin" not found` – isapir Feb 17 '21 at 05:42
  • @isapir did you delete the service account and re-create it? – T0xicCode Feb 17 '21 at 20:25
  • @T0xicCode I believe that the old account that I had was with a different name, or perhaps I deleted it in the past, as that didn't generate an error. I did have to delete the `clusterrolebinding cluster-admin-dashboard-sa` as that triggered an error that it already existed. – isapir Feb 17 '21 at 22:44
25

You need to follow these steps before the token authentication

  1. Create a Cluster Admin service account

    kubectl create serviceaccount dashboard -n default

  2. Add the cluster binding rules to your dashboard account

    kubectl create clusterrolebinding dashboard-admin -n default --clusterrole=cluster-admin --serviceaccount=default:dashboard

  3. Get the secret token with this command

    kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

  4. Choose token authentication in the Kubernetes dashboard login page enter image description here

  5. Now you can able to login

Jossef Harush Kadouri
  • 32,361
  • 10
  • 130
  • 129
UDIT JOSHI
  • 1,298
  • 12
  • 26
14

A self-explanatory simple one-liner to extract token for kubernetes dashboard login.

kubectl describe secret -n kube-system | grep deployment -A 12

Copy the token and paste it on the kubernetes dashboard under token sign in option and you are good to use kubernetes dashboard

Rewanth Tammana
  • 1,453
  • 17
  • 20
13

this is finally what works now (2023)

create two files create-service-cccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

and create-cluster-role-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

then run

kubectl apply -f create-service-cccount.yaml
kubectl apply -f create-cluster-role-binding.yaml
kubectl -n kubernetes-dashboard create token admin-user

for latest update please check https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

Robert
  • 2,342
  • 2
  • 24
  • 41
9

All the previous answers are good to me. But a straight forward answer on my side would come from https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md. Just use kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}'). You will have many values for some keys (Name, Namespace, Labels, ..., token). The most important is the token that corresponds to your name. copy that token and paste it in the token box. Hope this helps.

Julien Nyambal
  • 654
  • 13
  • 13
  • After trying several of the answers above, this one answer worked. I copied a token out, pasted it, and presto, Im in. – CENTURION Sep 18 '18 at 23:14
  • 4
    Link is dead. Here's a new one: https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md – PussInBoots Sep 02 '20 at 12:17
8

However, if you are using After kubernetes 1.24 version,

creating service accounts will not generate tokens , instead should use following command.

kubectl -n kubernetes-dashboard create token admin-user
SandOfTime
  • 692
  • 6
  • 15
  • 1
    since many new to kubernetes will read this, maybe add that before creating the token there still needs to be a, for example serviceaccount, with the rights to access everything. In your case: `kubectl create serviceaccount admin-user -n kubernetes-dashboard` and `kubectl create clusterrolebinding admin-user-binding -n kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user` right? – LeoR Mar 21 '23 at 22:59
7

You can get the token:

kubectl describe secret -n kube-system | grep deployment -A 12

Take the Token value which is something like

token:    eyJhbGciOiJSUzI1NiIsI...

Use port-forward to /kubernetes-dashboard:

kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8080:443 --address='0.0.0.0'

Access the Site Using:

https://<IP-of-Master-node>:8080/

Provide the Token when asked. Note the https on the URL. Tested site on Firefox because With new Updates Google Chrome has become strict of not allowing traffic from unknown SSL certificates.

Also note, the 8080 port should be opened in the VM of Master Node.

Ank
  • 402
  • 5
  • 12
4

For version 1.26.0/1.26.1 at 2023,

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl create serviceaccount admin-user -n kubernetes-dashboard
kubectl create clusterrolebinding dashboard-admin -n kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=admin-user
kubectl -n kubernetes-dashboard create token admin-user

The newest guide: https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

jqknono
  • 84
  • 4
  • This is the only solution that worked for me in May 2023 with Kubernetes v1.27 – mihow May 11 '23 at 18:58
  • 2
    3rd command returned error, here is corrected one `kubectl create clusterrolebinding dashboard-admin -n kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user` – To Kra May 25 '23 at 12:37
1

The skip login has been disabled by default due to security issues. https://github.com/kubernetes/dashboard/issues/2672

in your dashboard yaml add this arg 

- --enable-skip-login

to get it back

derHugo
  • 83,094
  • 9
  • 75
  • 115
Ravi
  • 19
  • 1
0

Download https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml

add

type: NodePort for the Service

And then run this command:

kubectl apply -f kubernetes-dashboard.yaml

Find the exposed port with the command :

kubectl get services -n kube-system

You should be able to get the dashboard at http://hostname:exposedport/ with no authentication

273K
  • 29,503
  • 10
  • 41
  • 64
Rajesh Guptan
  • 237
  • 2
  • 3
0

An alternative way to obtain the kubernetes-dashboard token:

kubectl -n kubernetes-dashboard get secret -o=jsonpath='{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="kubernetes-dashboard")].data.token}' | base64 --decode

Explanation:

  1. Get all the secret in the kubernetes-dashboard name space.
  2. Look at the items array, and match for: metadata -> annotations -> kubernetes.io/service-account.name == kubernetes-dashboard
  3. Print data -> token
  4. Decode content. (If you perform kubectl describe secret, the token is already decoded.)
h q
  • 1,168
  • 2
  • 10
  • 23