skip to Main Content

I have a few kubernetes service accounts.

I want to login kubernetes dashboard.

$kubectl get sa -n kubernetes-dashboard
NAME                   SECRETS   AGE
whitebear              0         9m37s
default                0         15m
kubernetes-dashboard   0         15m

However service account does’nt have token.

$kubectl describe sa whitebear -n kubernetes-dashboard
Name:                whitebear
Namespace:           kubernetes-dashboard
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

How can I create the token for account?

I am using docker for mac, local environement.

Thank you very much.

Solution

thanks to @Sai Chandini Routhu!!

I made token and login successfuly

kubectl create token default

However it was not enough to use dashboard

I make cluster role

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["*"]
  verbs: ["*"]

then bind this to my account.

kubectl create clusterrolebinding service-reader-pod 
  --clusterrole=service-reader  
  --serviceaccount=default:whitebear

Now I can login and operate dashboard!

2

Answers


  1. Tokens are not generated by default for ServiceAccounts since Kubernetes version 1.22. To create a long-lived ServiceAccount token in a Secret, see this documentation, which says:

    If you want to obtain an API token for a ServiceAccount, you create a new Secret with a special annotation, kubernetes.io/service-account.name.

    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: build-robot-secret
        annotations:
            kubernetes.io/service-account.name: build-robot
            type: kubernetes.io/service-account-token
    EOF
    

    If you view the Secret using:

    kubectl get secret/build-robot-secret -o yaml
    

    you can see that the Secret now contains an API token for the "build-robot" ServiceAccount.

    Solution as

    Login or Signup to reply.
  2. Any processes or applications running inside the pod of the Kubernetes cluster can gain access to the cluster by obtaining service account authentication from the API server.

    AS per this doc by @pramodAIML

    When you create a pod, if you do not specify a service account, it is
    automatically assigned the default service account in the same
    namespace.

    For describing the service account:

    you have to type the following kubectl command:

    Kubectl describe service account my- web page-sa
    

    So if you carefully watch the output you will see that the Tokens
    attribute is created with the value.This token is stored as a secret
    object, this secret object is attached to the service
    account:my-webpage-sa.

    To view the secret object :

    If you want to view whats the content of the secrte object we can type
    the following command

    $ kubectl describe secret <token-value>
    

    To obtain the necessary data from the Kubernetes cluster API server,
    this key can be exchanged as an authentication bearer token in your
    REST API call.

    Refer this doc for more information about Using service account tokens to connect with the API server

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search