kubernetes/dashboard Creating sample user
Creating sample user
In this guide, we will find out how to create a new user using Service Account mechanism of Kubernetes, grant this user admin permissions and login to Dashboard using bearer token tied to this user.
IMPORTANT: Make sure that you know what you are doing before proceeding. Granting admin privileges to Dashboard's Service Account might be a security risk.
Copy following snippets for ServiceAccount
and ClusterRoleBinding
to new manifest file like dashboard-adminuser.yaml
and use kubectl apply -f dashboard-adminuser.yaml
to create them.
Create Service Account
We are creating Service Account with name admin-user
in namespace kubernetes-dashboard
first.
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
Create ClusterRoleBinding
In most cases after provisioning our cluster using kops
or kubeadm
or any other popular tool, the ClusterRole
admin-Role
already exists in the cluster. We can use it and create only ClusterRoleBinding
for our ServiceAccount
.
NOTE: apiVersion
of ClusterRoleBinding
resource may differ between Kubernetes versions. Prior to Kubernetes v1.8
the apiVersion
was rbac.authorization.k8s.io/v1beta1
.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
Bearer Token
Now we need to find token we can use to log in. Execute following command:
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
It should print something like:
Name: admin-user-token-v57nw
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 0303243c-4040-4a58-8a47-849ee9ba79c1
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXY1N253Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMzAzMjQzYy00MDQwLTRhNTgtOGE0Ny04NDllZTliYTc5YzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.Z2JrQlitASVwWbc-s6deLRFVk5DWD3P_vjUFXsqVSY10pbjFLG4njoZwh8p3tLxnX_VBsr7_6bwxhWSYChp9hwxznemD5x5HLtjb16kI9Z7yFWLtohzkTwuFbqmQaMoget_nYcQBUC5fDmBHRfFvNKePh_vSSb2h_aYXa8GV5AcfPQpY7r461itme1EXHQJqv-SN-zUnguDguCTjD80pFZ_CmnSE1z9QdMHPB8hoB4V68gtswR1VLa6mSYdgPwCHauuOobojALSaMc3RH7MmFUumAgguhqAkX3Omqd3rJbYOMRuMjhANqd08piDC3aIabINX6gP5-Tuuw2svnV6NYQ
Now copy the token and paste it into Enter token
field on login screen.
Click Sign in
button and that's it. You are now logged in as an admin.
In order to find out more about how to grant/deny permissions in Kubernetes read official authentication & authorizationdocumentation.
最新文章
- java 跨域
- HDU 1074 Doing Homework (状压dp)
- 自定义一个可复用的BaseAdapter
- jquery了解
- super语句
- CPU host-passthrough技术与应用
- cf429B dp递推
- [Android Tips] 7. 以调试模式启动应用
- NET中的类型和装箱/拆箱原理
- android中自定义view---实现竖直方向的文字功能,文字方向朝上,同时提供接口,判断当前touch的是哪个字符,并改变颜色
- XPah学习
- 关于OC队列
- C++11多线程教学(二)
- 怎样在Windows和Linux下写相同的代码
- 【转】别人家的孩子之《说说我的web前端之路,分享些前端的好书》
- JavaScript中定义变量和存储值的类型判断
- 关于并发,关于IIS你真的了解吗?(一)
- POJ 2516 Minimum Cost (费用流)
- Linux垃圾清理
- WEEK1