February 22, 2020

Create a Kubernetes (k8s) admin user

Creating a kubernetes (k8s) admin user is needed to be able to login to the k8s dashboard.

Create a Kubernetes (k8s) admin user

One of the first things you'll need if you spinning up a kubernetes cluster outside of an environment that doesn't provide you a management interface out of the box (gke, aks, kubernetes on aws) is to create an admin user to login to the dashboard.

If you're working on this in a dev environment then you can use minikube

Install dashboard UI

By default kubernetes (k8s) does not come with with dashboard UI enabled.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml

Proxy to the dashboard

You'll need to use kubectl to setup the proxy

...\kubernetes> kubectl proxy
Starting to serve on

Open the dashboard in your browser


You'll be greeted by a confusing login prompt. The way we get around this is by creating a service account so that we can login with that users token.

Create a file admin-account.yml

--- #Admin Account creation
apiVersion: v1
kind: ServiceAccount
  name: admin
  namespace: kube-system

Then lets run this with kubectl

...\kubernetes> kubectl apply -f admin-account.yml
serviceaccount/admin created  

This will create the username admin as a service account. That is still not enough though because we need to give this user permissions to do things with in the cluster.

Now we need to setup the RBAC (Role Based Access Control) to allow our user to connect to the dashboard.

Create a file admin-rbac.yml

--- #grant cluster-admin (superuser) authorization to admin user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: admin
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
- kind: ServiceAccount
  name: admin
  namespace: kube-system

Lets run this config against the cluster with kubectl

...\kubernetes> kubectl.exe apply -f .\admin-rbac.yml                             clusterrolebinding.rbac.authorization.k8s.io/admin created

Now this config being applied has created a secret that we can lookup to get the access token to pass into the dashboard.

Window Users Note: If you're using windows then you will need to install a couple things via Choco

choco install awk vim grep

If you are on a linux/mac machine then those tools are most likely installed already.

Look up the secret token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret |grep admin |awk '{print $1}')
Name:         admin-token-gjqgw
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: e1201d63-cb23-440e-9d48-e3f40aeb16da

Type:  kubernetes.io/service-account-token

ca.crt:     1066 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImJqelYtSEFtSkRXV2pDUTZkc2JUTTMyb3U3OXZoZmhxS0dXT0tjcktTT1kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1nanFndyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImUxMjAxZDYzLWNiMjMtNDQwZS05ZDQ4LWUzZjQwYWViMTZkYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.UWgXavMcBwtqTYeWIhpV_PmjIjKu5Zf6Cb_rL0ieDs0qG--GBMNf5Og3VTsDd-dwW9DnytKJuzU93rdw4lAl_LeN_ALx3gIJg0eYHd3ZjyFp2kbguPrvxNwrBxwYjAi-RO95pF_YiKH8jE38UfXqjgBEf7mKlzbw86sooZ-vL3pL4N5gEkf9BxZWbVx-4B5TjppsMZnz1Xo2tUzlb2V4U8cv4Xr7lwfegSUTWTxX_nqPEkXuXfbmjJUFBp1F_7l6Q7oHSHQiVWaohRaTyz3Kz0A6Md7pn-W-D91aQ3JdIiPLN15ii0CeSYFBEpb4LDch3nowPb3KMTCgriCHjvGK2w

Your token that you get back with be different than what's above. But you'll now be able to copy and paste that and goto your dashboard.

K8S Dashboard

Congratulations you now have access to your k8s dashboard using our newly created admin account.