Deploy Kubernetes¶
$ neo create kubernetes
Dashboard¶
Tunneling¶
$ neo attach -t 8001:127.0.0.1:8001
[k8s@k8s-test-controller-2hojdpb5a22a ~]$ kube-token
Name: admin-user-token-qt8dr
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=admin-user
kubernetes.io/service-account.uid=1dc769a0-4679-11e8-829f-fa163ebedac7
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1090 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXF0OGRyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxZGM3NjlhMC00Njc5LTExZTgtODI5Zi1mYTE2M2ViZWRhYzciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.XdWFIA49ckETvBSEA
[k8s@k8s-test-controller-2hojdpb5a22a ~]$ kubectl proxy
Starting to serve on 127.0.0.1:8001
open url http://127.0.0.1:8001 and then login with your token access
Create simple user¶
In this guide, we will find out how to create a new user using Service Account mechanism of Kubernetes, grant this user admin permissions and log in to Dashboard using bearer token tied to this user.
Copy provided snippets to some xxx.yaml
file and use
kubectl create -f xxx.yaml
to create them.
Create Service Account¶
We are creating Service Account with name admin-user
in namespace
kube-system
first.
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
Create ClusterRoleBinding¶
In most cases after provisioning our cluster using kops
or
kubeadm
or any other popular tool admin Role
already exists in
the cluster. We can use it and create only RoleBinding
for our
ServiceAccount
.
NOTE: apiVersion
of ClusterRoleBinding
resource may differ
between Kubernetes versions. Starting from v1.8
it was promoted to
rbac.authorization.k8s.io/v1
.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
Bearer Token¶
Now we need to find token we can use to log in. Execute following command:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
It should print something like: ```bash Name: admin-user-token-6gl6l Namespace: kube-system Labels: Annotations: kubernetes.io/service-account.name=admin-user kubernetes.io/service-account.uid=b16afba9-dfec-11e7-bbb9-901b0e53