Kubernetes Dashboard ServiceAccount token authentication¶

Kubernetes Dashboard ServiceAccount Token Authentication is the security mechanism used to verify identity and grant access to the web-based UI. Unlike the command-line kubectl tool which often uses user certificates, the Dashboard interface typically requires a bearer token generated from a Kubernetes [[ServiceAccount]] to log in^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Overview¶

When accessing the Kubernetes Dashboard via kubectl proxy, the interface presents a login page requiring an access token^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. To authenticate successfully, an administrator must create a [[ServiceAccount]], grant it appropriate permissions (such as cluster-admin), and extract its associated secret token^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Implementation Workflow¶

The process of setting up token authentication involves creating the necessary RBAC resources and retrieving the secret.

1. Create ServiceAccount and RoleBinding¶

To enable login, you must apply a configuration that binds a [[ServiceAccount]] to a privileged role. The following example creates a ClusterRoleBinding that grants the default ServiceAccount in the kube-system namespace the cluster-admin role^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-system-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system

Additionally, a Secret object must be explicitly created or annotated to generate the token for the ServiceAccount^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

2. Retrieve the Token¶

Once the resources are applied, the authentication token can be retrieved from the described secret of the ServiceAccount^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

[kubectl](<./kubectl.md>) -n kube-system describe secret default
# Output includes 'token:' followed by the secret string

This token string is then pasted into the Dashboard login screen to establish the session^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Related Concepts¶

• Kubernetes
• [[RBAC]]
• [[ServiceAccount]]
• [[Bearer Token]]

Sources¶

^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]