How can I make the automatic timed logout longer?

Question

The web session timeout for Kubernetes Dashboard is pretty short. I can't see any setting or configuration parameter to change it.

I tried inspecting the container contents with kubectl exec, but there does not seem to be any shell (sh, bash, ash, etc.), so I can't see what web server parameters are configured inside.

I would like to make this timeout longer, to make it easier to keep track of job executions for long periods of time.

How can I proceed?

TJ Zimmerman · Answer 1 · 2020-03-25T19:05:44.800

32

There are two ways. When you deploy the manifest originally, this can be done by modifying the Container Args to include this directive: --token-ttl=43200 where 43200 is the number of seconds you want to set the automatic timeout to be.

If you want to manipulate the configuration post-deployment, then you can edit the existing deployment which will trigger the pod to be redeployed with the new arguments. To do this run kubectl edit deployment -n kube-system kubernetes-dashboard and add the argument mentioned above to the args section.

EDIT: If you are using V2 of the Dashboard (Still in beta) then you will need to change the namespace in the command from kube-system to kubernetes-dashboard. (Or somewhere else if you customized it)

EDIT2: You can also set token-ttl to 0 to disable timeouts entirely.

edited Mar 25 '20 at 19:05

answered Sep 27 '19 at 01:37

TJ Zimmerman

3,100
25
39

1

Checked on Kubernetes 1.16.3. `kubectl edge` doesn't exist. In command from @TJ replace `edge` with `edit` – Uliysess Nov 22 '19 at 07:01
Sorry, that was a typo. Edge has never been a command. Thanks for correcting. :) – TJ Zimmerman Nov 22 '19 at 15:53
Delete `kube-system` from your `kubectl edit` ...I don't think its needed. So the real command is `kubectl edit deployment -n kubernetes-dashboard`. You can precise also that this line need to be added: `- --token-ttl=x` just after this one: `- --namespace=kubernetes-dashboard`. So you need to search for the last one in the yaml file. Replace x whith the timeout time that you want to set (0 to disable complitely the timeout). – Bemipefe Oct 21 '21 at 15:00
Did you see this in the post you responded to? `EDIT: If you are using V2 of the Dashboard (Still in beta) then you will need to change the namespace in the command from kube-system to kubernetes-dashboard. (Or somewhere else if you customized it) ` – TJ Zimmerman Oct 23 '21 at 03:48
I've added the additional `--token-ttl=0` but it's not clear to me what timeout is being increased by the change? following the guide https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md when I generated a new token using `kubectl -n kubernetes-dashboard create token admin-user` I obtain the same short lived token. – Dan M Sep 12 '22 at 09:16
Setting the `--token-ttl` argument instructs the Dashboard to expire an authenticated session after `#` seconds. `0` in this case disables expiration. `600` would be 10 minutes. The token itself remains valid across time. – TJ Zimmerman Sep 12 '22 at 17:49
Running `kubectl -n kubernetes-dashboard create token admin-user` it's getting a token with a TTL of about 1h and dasbhoard expires, despite the change in the deployment yaml; I can easy verify the token content at https://jwt.io; it contains the `exp": 1662976724, "iat": 1662973124, etc` I think the actual question is `how can one get a token with no expiration date`? (like in the older versions where exp was omitted!) – Dan M Sep 13 '22 at 00:12
Sounds like something has changed. I suggest you open a new question since this question was in reference to extending/disabling the automatic logout after a token is accepted. Not preventing a token from being permanently invalidated after a period of time. – TJ Zimmerman Sep 14 '22 at 22:50
@DanM I saw this comment on Reddit today and thought of you: https://www.reddit.com/r/kubernetes/comments/ydsuwh/kubernetes_dashboard_what_i_am_missing/itu913a/ – TJ Zimmerman Oct 27 '22 at 18:09
@TJZimmerman thanks yep that's a good idea. In the meanwhile I used the K8s certificate and generate my own token where I can freely edit the `exp`; The cert I used to modify and sign the token is the `/etc/kubernetes/pki/sa.key` `/etc/kubernetes/pki/sa.pub` pair. – Dan M Nov 07 '22 at 16:18

score 15 · Answer 2 · answered May 20 '21 at 12:33

In the v2.2.0 version (~year 2021) of the default installation (https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml), they use kubernetes-dashboard as the namespace.

The command would look like this:

kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard

The change would look like this:


# ... content before...

    spec:
      containers:
      - args:
        - --auto-generate-certificates
        - --namespace=kubernetes-dashboard
        - --token-ttl=0 # <-- add this with your timeout
      image: kubernetesui/dashboard:v2.0.0

# ... content after ...

As TJ Zimmerman suggested: 0 = no-timeout.

use `kubectl edit deployment kubernetes-dashboard -n kube-system` command instead of `kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard` in microk8s — Dániel Kis, Sep 01 '22 at 16:58

score 7 · Answer 3 · edited Aug 14 '21 at 09:16

7

If using helm, the token-timeout can be set in the values.yaml like this:

extraArgs:
  - --token-ttl=86400

edited Aug 14 '21 at 09:16

Davey

2,355
1
17
18

answered Mar 22 '21 at 12:39

Frederik Struck-Schøning

12,981
8
59
68

score 3 · Answer 4 · answered Nov 23 '21 at 18:51

3

The same as previous answers, but if editing files isn't your bag and you prefer to just run a command, you can patch your (default) dashboard deployment with:

kubectl patch --namespace kubernetes-dashboard deployment \
  kubernetes-dashboard --type='json' --patch \
 '[{"op": "add", "path": "/spec/template/spec/containers/0/args/2", "value": "--token-ttl=43200" }]'

(adjust 43200 to whatever TTL value you want to set).

answered Nov 23 '21 at 18:51

Belly Buster

8,224
2
7
20

Can no longer login after running this command. Dashboard interface says: Unknown error (0): Http failure response for api/v1/csrftoken/login: 0 Unknown Error – StefanLundmark Mar 27 '22 at 11:18
The answer assumes the default installation as documented here: https://github.com/kubernetes/dashboard#install. Try reinstalling the latest version of the dashboard. – Belly Buster Mar 27 '22 at 12:17
That's the installation method I used. After 30 minutes I was able to login again without any changes. Maybe you have to wait for the old session to expire? – StefanLundmark Mar 29 '22 at 22:20
verified now, works (of course, because it matches the [3] index of the args in current official dashboard manifest). it's good for automation in case no option to manually edit after the kubectl apply. thanks. one concern though: does the patching delete text at [3] if the default yaml will change and will have >=3 args already? can you do "append" in it, no matter how many items in list already exit? lol, just did a test and verified it adds new item in between existing ones in list, so it's safe to use! – Dmitry Shmakov Sep 23 '22 at 17:03

score 0 · Answer 5 · answered Aug 28 '23 at 18:57

Another way to achieve the same effect for a microk8s dashboard addon is by editing the file /var/snap/microk8s/common/addons/core/addons/dashboard/dashboard.yaml to include the --token-ttl=604800 argument within the rest of the container arguments:

      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.7.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kube-system
            - --token-ttl=604800

After making this change, you can disable and enable the addon to apply the modification:

microk8s disable dashboard ; sleep 10; microk8s enable dashboard

Admittedly, this approach might seem a bit unorthodox and potentially unsustainable if the addon version gets updated. Unfortunately, there doesn't appear to be a simpler method to make this change persistently within microk8s. Ideally, one would hope for a more flexible configuration option, similar to those found at /var/snap/microk8s/current/args/, but it seems that microk8s doesn't currently expose customization settings for the dashboard in that location.

How can I make the automatic timed logout longer?

5 Answers5