5

Question

There is a way to create a service account and get token as in How to Add Users to Kubernetes (kubectl)? but is there a way to get or create a token for a normal user?

Background

Followed Configure RBAC In Your Kubernetes Cluster and created a normal user.

Bind a cluster role to the user as below (not sure this is correct, appreciate suggestions). I would like to create a token for the user and use it to access the dashboard but do not know how to do.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: dashboard-admin-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin-rolebinding
  namespace: office
subjects:
- kind: User
  name: myuser
  apiGroup: "rbac.authorization.k8s.io"
roleRef:
  kind: ClusterRole
  name: dashboard-admin-role
  apiGroup: "rbac.authorization.k8s.io"
mon
  • 18,789
  • 22
  • 112
  • 205

1 Answers1

10

API requests are tied to either a normal user or a service account, or are treated as anonymous requests.

  • Normal users are assumed to be managed by an outside, independent service (private keys, third parties like Google Accounts, even a file with a list of usernames and passwords). Kubernetes does not have objects which represent normal user accounts.
  • Service accounts are users managed by the Kubernetes API, bound to specific namespaces. Service accounts are tied to a set of credentials stored as Secrets. Service account bearer tokens are perfectly valid to use outside the cluster and can be used to create identities for long standing jobs that wish to talk to the Kubernetes API. To manually create a service account, simply use the kubectl create serviceaccount ACCOUNT_NAME command. This creates a service account in the current namespace and an associated secret that holds the public CA of the API server and a signed JSON Web Token (JWT).

So you can create a serviceaccount and then use that token to authenticate the requests to the API.

Something similar to this example

$ kubectl create serviceaccount jenkins
serviceaccount "jenkins" created
$ kubectl get serviceaccounts jenkins -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  # ...
secrets:
- name: jenkins-token-1yvwg

And then fetch the token

$ kubectl get secret jenkins-token-1yvwg -o yaml
apiVersion: v1
data:
  ca.crt: (APISERVER'S CA BASE64 ENCODED)
  namespace: ZGVmYXVsdA==
  token: (BEARER TOKEN BASE64 ENCODED)
kind: Secret
metadata:
  # ...
type: kubernetes.io/service-account-token
Jose Armesto
  • 12,794
  • 8
  • 51
  • 56