The page has been translated by Gen AI.

Checking Cluster Admin Token

To register a K8S cluster, you need to check the cluster’s Admin Token.

The Admin Token refers to the Token value of the ServiceAccount that is ClusterRoleBinding to ClusterRole/cluster-admin.

Preparations before starting

Notice

Before checking the Admin Token, please check and prepare the following:

  • Environment where kubectl CLI can be used
  • Cluster Admin permission check
    • ClusterRole, ClusterRoleBinding inquiry and creation
    • Namespace, ServiceAccount inquiry and creation
  • ClusterRole cluster-admin is queried
Color mode
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
$ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
cluster-admin ClusterRole query result

Checking Admin Token

Checking existing Admin Token

  1. Query the ClusterRoleBinding that is bound to ClusterRole/cluster-admin.
  2. Check the ServiceAccount bound to ClusterRoleBinding.
    Color mode
    # Query admin token
    $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
    [crb_name]     ClusterRole/cluster-admin     77d
    
    $ kubectl describe clusterrolebinding [crb_name]
    Name:         [crb_name]
    Labels:       <none>
    Annotations:  <none>
    Role:
    Kind:  ClusterRole
    Name:  cluster-admin
    Subjects:
    Kind            Name       Namespace
      ----            ----       ---------
    ServiceAccount  [sa_name]  [namespace_name]
    # Query admin token
    $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
    [crb_name]     ClusterRole/cluster-admin     77d
    
    $ kubectl describe clusterrolebinding [crb_name]
    Name:         [crb_name]
    Labels:       <none>
    Annotations:  <none>
    Role:
    Kind:  ClusterRole
    Name:  cluster-admin
    Subjects:
    Kind            Name       Namespace
      ----            ----       ---------
    ServiceAccount  [sa_name]  [namespace_name]
    Existing Admin Token query result
  3. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
    Color mode
    # Query Secret
    $ kubectl get secret -n [namespace_name] | grep [sa_name]
    [sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d
    
    # Query token
    $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
    Name:         [sa_name]-token-xxxxx
    ...<omitted>...
    Data
    ====
    ca.crt:     1070 bytes
    namespace:  11 bytes
    token:      eyJhbGciOiJSUzI1NiI...
    # Query Secret
    $ kubectl get secret -n [namespace_name] | grep [sa_name]
    [sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d
    
    # Query token
    $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
    Name:         [sa_name]-token-xxxxx
    ...<omitted>...
    Data
    ====
    ca.crt:     1070 bytes
    namespace:  11 bytes
    token:      eyJhbGciOiJSUzI1NiI...
    ServiceAccount connected Secret, token query result

Creating Admin Token

  1. Create a Namespace to create a ServiceAccount. If it already exists, proceed to the next step.
    Color mode
    $ kubectl create namespace [namespace_name]
    
    # ex) kubectl create namespace my-app
    $ kubectl create namespace [namespace_name]
    
    # ex) kubectl create namespace my-app
    Admin Token creation command
  2. Create a [namespace_name]-additional-cluster-admin-sa.yaml file and execute it.
    Color mode
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: [namespace_name]-additional-cluster-admin
    namespace: [namespace_name]
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: [namespace_name]-additional-cluster-admin
    namespace: [namespace_name]
    ServiceAccount creation example
    Color mode
    # Create ServiceAccount
    $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]
    
    # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    # Create ServiceAccount
    $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]
    
    # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
    ServiceAccount creation command
  3. Create a [namespace_name]-additional-cluster-admin-crb.yaml file and execute it.
    Color mode
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
       name: [namespace_name]-additional-cluster-admin
    subjects:
    - kind: ServiceAccount
      name: [namespace_name]-additional-cluster-admin
      namespace: [namespace_name]
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: ""
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
       name: [namespace_name]-additional-cluster-admin
    subjects:
    - kind: ServiceAccount
      name: [namespace_name]-additional-cluster-admin
      namespace: [namespace_name]
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: ""
    ClusterRoleBinding creation example
    Color mode
    # Create ClusterRoleBinding
    $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml
    
    # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    # Create ClusterRoleBinding
    $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml
    
    # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
    ClusterRoleBinding creation command
  4. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
    Color mode
    # Query Secret
    $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
    [namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s
    
    # Query token
    $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
    Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
    ...<omitted>...
    Data
    ====
    ca.crt:     1111 bytes
    namespace:  6 bytes
    token:      eyJhbGciOiJSUzI1Ni...
    # Query Secret
    $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
    [namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s
    
    # Query token
    $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
    Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
    ...<omitted>...
    Data
    ====
    ca.crt:     1111 bytes
    namespace:  6 bytes
    token:      eyJhbGciOiJSUzI1Ni...
    ServiceAccount connected Secret, token query result
    Note
    If the created Secret does not exist (in Kubernetes version 1.24 or later), create it manually and query the token.
    Color mode
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
    name: [namespace_name]-additional-cluster-admin-token
    namespace: [namespace_name]
    annotations:
    kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
    name: [namespace_name]-additional-cluster-admin-token
    namespace: [namespace_name]
    annotations:
    kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
    Secret creation example

Checking Admin Token validity

You can check the validity of the queried Admin Token value by modifying the ~/.kube/config file.

  1. Modify the ~/.kube/config file to use the token for user authentication.
    ex) users[0].user.token Modify to input the Admin Token value.
    Color mode
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: LS0...
        server: https://devopscluster-12345.sk...
      name: devopscluster-12345
    contexts:
    - context:
        cluster: devopscluster-12345
        user: user
      name: user@devopscluster-12345
    current-context: user@devopscluster-12345
    kind: Config
    users:
    - name: user
      user:
        token: [admin_token]
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: LS0...
        server: https://devopscluster-12345.sk...
      name: devopscluster-12345
    contexts:
    - context:
        cluster: devopscluster-12345
        user: user
      name: user@devopscluster-12345
    current-context: user@devopscluster-12345
    kind: Config
    users:
    - name: user
      user:
        token: [admin_token]
    ~/.kube/config modification example
  2. Execute the kubectl command to check if you have cluster-admin permissions.
    Color mode
    $ kubectl get nodes
    $ kubectl get namespace
    $ kubectl get all -n kube-system
    $ kubectl create namespace admin-test
    $ kubectl delete namespace admin-test
    
    # Execute other commands
    $ kubectl get nodes
    $ kubectl get namespace
    $ kubectl get all -n kube-system
    $ kubectl create namespace admin-test
    $ kubectl delete namespace admin-test
    
    # Execute other commands
    cluster-admin permission check command
K8S Cluster
VM Server Group