10

I'm trying to follow the instructions at https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md to create a Kubernetes Dashboard token. However, when I run the specified command, I get an error

% kubectl -n kubernetes-dashboard create token admin-user
Error: must specify one of -f and -k

error: unknown command "token admin-user"
See 'kubectl create -h' for help and examples

If I jump back in the doc history, I see a different, more verbose command that I can run

% kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

This seems to work OK and PR for the doc change mentions "version 1.24" but doesn't mention what piece of software version 1.24 refers to (kubectl? The Dashboard? Kuberenetes itself? kind? Something else?)

So what's going on with that first command? Why doesn't it work?

Alana Storm
  • 164,128
  • 91
  • 395
  • 599

2 Answers2

9

If your version is lower than 1.24, please run the following command.

kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

This works in my case. Thanks.

Sushmita Goswami
  • 113
  • 1
  • 10
  • 2
    Adding an `echo` to the end of the command makes copying the token easier: `kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"; echo` – Aslan Aug 09 '22 at 11:57
8

This is a new feature in kubernetes 1.24, your cluster and kubectl must be running <1.24 version of Kubernetes, causing the issue. See the change log below:

kubectl create token can now be used to request a service account token, and permission to request service account tokens is added to the edit and admin RBAC roles (#107880, @liggitt)

Another snippet showing more relevant info:

Kubectl changes:

Adds a command to kubectl to request a bound service account token. This will help ease the transition from scraping generated service account tokens with commands like kubectl get secret "$(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}')"

Both server and client must be running 1.24 or newer, something like below:

kubectl version --output=json
{
  "clientVersion": {
    "major": "1",
    "minor": "24",
    "gitVersion": "v1.24.0",
    "gitCommit": "4ce5a8954017644c5420bae81d72b09b735c21f0",
    "gitTreeState": "clean",
    "buildDate": "2022-05-03T13:46:05Z",
    "goVersion": "go1.18.1",
    "compiler": "gc",
    "platform": "linux/amd64"
  },
  "kustomizeVersion": "v4.5.4",
  "serverVersion": {
    "major": "1",
    "minor": "24",
    "gitVersion": "v1.24.2",
    "gitCommit": "f66044f4361b9f1f96f0053dd46cb7dce5e990a8",
    "gitTreeState": "clean",
    "buildDate": "2022-06-15T14:15:38Z",
    "goVersion": "go1.18.3",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

check this for more info: https://github.com/kubernetes/kubernetes/pull/107880

P....
  • 17,421
  • 2
  • 32
  • 52
  • Thank you @P -- one follow up question if you have a moment. Is this a problem that my _cluster_ is running 1.24, or that my version of kubectl isn't 1.24? Or both? (I'm running a cluster via kind in a very "this is all magic to me I'm still learning" sort of way). – Alana Storm Jun 02 '22 at 20:34
  • 2
    you may run `kubectl get node -owide` to see the version used in your cluster., it's likely that you are not running version ``1.24`` and using something lower than 1.24. – P.... Jun 02 '22 at 20:46
  • 1
    also, only using the latest kubectl client on older clusters may not help. – P.... Jun 02 '22 at 21:17