Deploy Kubernetes
=================

.. code:: bash

   $ neo create kubernetes


Dashboard
---------

Tunneling
^^^^^^^^^

.. code:: bash

   $ neo attach -t 8001:127.0.0.1:8001
   [k8s@k8s-test-controller-2hojdpb5a22a ~]$ kube-token
   Name:         admin-user-token-qt8dr
   Namespace:    kube-system
   Labels:       <none>
   Annotations:  kubernetes.io/service-account.name=admin-user
                 kubernetes.io/service-account.uid=1dc769a0-4679-11e8-829f-fa163ebedac7

   Type:  kubernetes.io/service-account-token

   Data
   ====
   ca.crt:     1090 bytes
   namespace:  11 bytes
   token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXF0OGRyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxZGM3NjlhMC00Njc5LTExZTgtODI5Zi1mYTE2M2ViZWRhYzciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.XdWFIA49ckETvBSEA

   [k8s@k8s-test-controller-2hojdpb5a22a ~]$ kubectl proxy
   Starting to serve on 127.0.0.1:8001

open url http://127.0.0.1:8001 and then login with your token access


Create simple user
------------------

In this guide, we will find out how to create a new user using Service
Account mechanism of Kubernetes, grant this user admin permissions and
log in to Dashboard using bearer token tied to this user.

Copy provided snippets to some ``xxx.yaml`` file and use
``kubectl create -f xxx.yaml`` to create them.

Create Service Account
^^^^^^^^^^^^^^^^^^^^^^

We are creating Service Account with name ``admin-user`` in namespace
``kube-system`` first.

.. code:: yaml

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: admin-user
     namespace: kube-system

Create ClusterRoleBinding
^^^^^^^^^^^^^^^^^^^^^^^^^

In most cases after provisioning our cluster using ``kops`` or
``kubeadm`` or any other popular tool admin ``Role`` already exists in
the cluster. We can use it and create only ``RoleBinding`` for our
``ServiceAccount``.

**NOTE**: ``apiVersion`` of ``ClusterRoleBinding`` resource may differ
between Kubernetes versions. Starting from ``v1.8`` it was promoted to
``rbac.authorization.k8s.io/v1``.

.. code:: yaml

   apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRoleBinding
   metadata:
     name: admin-user
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: admin-user
     namespace: kube-system

Bearer Token
^^^^^^^^^^^^

Now we need to find token we can use to log in. Execute following
command:

.. code:: bash

   kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

It should print something like: \```bash Name: admin-user-token-6gl6l
Namespace: kube-system Labels: Annotations:
kubernetes.io/service-account.name=admin-user
kubernetes.io/service-account.uid=b16afba9-dfec-11e7-bbb9-901b0e53