The page has been translated by Gen AI.
Checking Cluster Admin Token
To register a K8S cluster, you need to check the cluster’s Admin Token.
The Admin Token refers to the Token value of the ServiceAccount that is ClusterRoleBinding to ClusterRole/cluster-admin.
Preparations before starting
Notice
Before checking the Admin Token, please check and prepare the following:
- Environment where kubectl CLI can be used
- Cluster Admin permission check
- ClusterRole, ClusterRoleBinding inquiry and creation
- Namespace, ServiceAccount inquiry and creation
- ClusterRole cluster-admin is queried
Color mode
$ kubectl get clusterrole cluster-admin
NAME CREATED AT
cluster-admin 2022-12-09T08:21:50Z$ kubectl get clusterrole cluster-admin
NAME CREATED AT
cluster-admin 2022-12-09T08:21:50ZChecking Admin Token
Checking existing Admin Token
- Query the ClusterRoleBinding that is bound to ClusterRole/cluster-admin.
- Check the ServiceAccount bound to ClusterRoleBinding.Color mode
# Query admin token $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin [crb_name] ClusterRole/cluster-admin 77d $ kubectl describe clusterrolebinding [crb_name] Name: [crb_name] Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount [sa_name] [namespace_name]# Query admin token $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin [crb_name] ClusterRole/cluster-admin 77d $ kubectl describe clusterrolebinding [crb_name] Name: [crb_name] Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount [sa_name] [namespace_name]Existing Admin Token query result - Check the Secret connected to the ServiceAccount and query the token (Admin Token).Color mode
# Query Secret $ kubectl get secret -n [namespace_name] | grep [sa_name] [sa_name]-token-xxxxx kubernetes.io/service-account-token 3 77d # Query token $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name] Name: [sa_name]-token-xxxxx ...<omitted>... Data ==== ca.crt: 1070 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiI...# Query Secret $ kubectl get secret -n [namespace_name] | grep [sa_name] [sa_name]-token-xxxxx kubernetes.io/service-account-token 3 77d # Query token $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name] Name: [sa_name]-token-xxxxx ...<omitted>... Data ==== ca.crt: 1070 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiI...ServiceAccount connected Secret, token query result
Creating Admin Token
- Create a Namespace to create a ServiceAccount. If it already exists, proceed to the next step.Color mode
$ kubectl create namespace [namespace_name] # ex) kubectl create namespace my-app$ kubectl create namespace [namespace_name] # ex) kubectl create namespace my-appAdmin Token creation command - Create a [namespace_name]-additional-cluster-admin-sa.yaml file and execute it.Color mode
apiVersion: v1 kind: ServiceAccount metadata: name: [namespace_name]-additional-cluster-admin namespace: [namespace_name]apiVersion: v1 kind: ServiceAccount metadata: name: [namespace_name]-additional-cluster-admin namespace: [namespace_name]ServiceAccount creation example Color mode# Create ServiceAccount $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name] # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app# Create ServiceAccount $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name] # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-appServiceAccount creation command - Create a [namespace_name]-additional-cluster-admin-crb.yaml file and execute it.Color mode
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [namespace_name]-additional-cluster-admin subjects: - kind: ServiceAccount name: [namespace_name]-additional-cluster-admin namespace: [namespace_name] roleRef: kind: ClusterRole name: cluster-admin apiGroup: ""kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [namespace_name]-additional-cluster-admin subjects: - kind: ServiceAccount name: [namespace_name]-additional-cluster-admin namespace: [namespace_name] roleRef: kind: ClusterRole name: cluster-admin apiGroup: ""ClusterRoleBinding creation example Color mode# Create ClusterRoleBinding $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml# Create ClusterRoleBinding $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yamlClusterRoleBinding creation command - Check the Secret connected to the ServiceAccount and query the token (Admin Token).Color mode
# Query Secret $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin [namespace_name]-additional-cluster-admin-token-xxxxx kubernetes.io/service-account-token 3 4m53s # Query token $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name] Name: [namespace_name]-additional-cluster-admin-token-xxxxx ...<omitted>... Data ==== ca.crt: 1111 bytes namespace: 6 bytes token: eyJhbGciOiJSUzI1Ni...# Query Secret $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin [namespace_name]-additional-cluster-admin-token-xxxxx kubernetes.io/service-account-token 3 4m53s # Query token $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name] Name: [namespace_name]-additional-cluster-admin-token-xxxxx ...<omitted>... Data ==== ca.crt: 1111 bytes namespace: 6 bytes token: eyJhbGciOiJSUzI1Ni...ServiceAccount connected Secret, token query result NoteIf the created Secret does not exist (in Kubernetes version 1.24 or later), create it manually and query the token.Color modeapiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: [namespace_name]-additional-cluster-admin-token namespace: [namespace_name] annotations: kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: [namespace_name]-additional-cluster-admin-token namespace: [namespace_name] annotations: kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"Secret creation example
Checking Admin Token validity
You can check the validity of the queried Admin Token value by modifying the ~/.kube/config file.
- Modify the
~/.kube/configfile to use the token for user authentication.ex) users[0].user.tokenModify to input the Admin Token value.Color modeapiVersion: v1 clusters: - cluster: certificate-authority-data: LS0... server: https://devopscluster-12345.sk... name: devopscluster-12345 contexts: - context: cluster: devopscluster-12345 user: user name: user@devopscluster-12345 current-context: user@devopscluster-12345 kind: Config users: - name: user user: token: [admin_token]apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0... server: https://devopscluster-12345.sk... name: devopscluster-12345 contexts: - context: cluster: devopscluster-12345 user: user name: user@devopscluster-12345 current-context: user@devopscluster-12345 kind: Config users: - name: user user: token: [admin_token]~/.kube/config modification example - Execute the
kubectlcommand to check if you have cluster-admin permissions.Color mode$ kubectl get nodes $ kubectl get namespace $ kubectl get all -n kube-system $ kubectl create namespace admin-test $ kubectl delete namespace admin-test # Execute other commands$ kubectl get nodes $ kubectl get namespace $ kubectl get all -n kube-system $ kubectl create namespace admin-test $ kubectl delete namespace admin-test # Execute other commandscluster-admin permission check command