Skip to content

Kubernetes Dashboard token authentication

Kubernetes Dashboard token authentication is the security mechanism used to access the web-based user interface for Kubernetes. To interact with the cluster via the Dashboard, users must provide a bearer token that verifies their identity and permissions against the Kubernetes API server^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Accessing the Dashboard Interface

The Dashboard is typically deployed using a standard YAML configuration file^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. Once the Dashboard pods are running, access is often established locally using the kubectl proxy command^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. This command creates a proxy server between your local machine and the Kubernetes API server, allowing you to access the Dashboard via a specific URL, usually http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Upon navigating to this URL, the user is presented with a login screen that requires an access token for authentication^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Token Generation and RBAC Configuration

To log in, a valid authentication token must be generated. This process typically involves creating a [[ServiceAccount]] and binding it to a role with appropriate permissions, such as cluster-admin^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

A common method to establish access for authentication involves creating a ClusterRoleBinding and a Secret manually^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]:

  1. Apply RBAC Configuration: Users apply a configuration that grants a specific service account (e.g., default in the kube-system namespace) administrative privileges^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].
  2. Create Secret: A generic secret of type kubernetes.io/service-account-token is created to store the token associated with that service account^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Retrieving the Token

Once the RBAC resources and the secret are applied, the actual token string can be retrieved from the cluster^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. This is often done by describing the generated secret object using kubectl^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

For example, on macOS, a command can be used to parse the output of kubectl describe secret to extract the token value^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. This token is then copied and pasted into the Dashboard login screen to grant access^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

  • [[ServiceAccount]]
  • [[RBAC]]

Sources