This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Checking Cluster Admin Token

    To register a K8S cluster, you need to check the cluster’s Admin Token.

    The Admin Token refers to the Token value of the ServiceAccount that is ClusterRoleBinding to ClusterRole/cluster-admin.

    Preparations before starting

    Notice

    Before checking the Admin Token, please check and prepare the following:

    • Environment where kubectl CLI can be used
    • Cluster Admin permission check
      • ClusterRole, ClusterRoleBinding inquiry and creation
      • Namespace, ServiceAccount inquiry and creation
    • ClusterRole cluster-admin is queried
    Color mode
    $ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
    $ kubectl get clusterrole cluster-admin
NAME            CREATED AT
cluster-admin   2022-12-09T08:21:50Z
    cluster-admin ClusterRole query result

    Checking Admin Token

    Checking existing Admin Token

    1. Query the ClusterRoleBinding that is bound to ClusterRole/cluster-admin.
    2. Check the ServiceAccount bound to ClusterRoleBinding.
      Color mode
      # Query admin token
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
      # Query admin token
$ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin
[crb_name]     ClusterRole/cluster-admin     77d

$ kubectl describe clusterrolebinding [crb_name]
Name:         [crb_name]
Labels:       <none>
Annotations:  <none>
Role:
Kind:  ClusterRole
Name:  cluster-admin
Subjects:
Kind            Name       Namespace
  ----            ----       ---------
ServiceAccount  [sa_name]  [namespace_name]
      Existing Admin Token query result
    3. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
      Color mode
      # Query Secret
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# Query token
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
      # Query Secret
$ kubectl get secret -n [namespace_name] | grep [sa_name]
[sa_name]-token-xxxxx                            kubernetes.io/service-account-token   3      77d

# Query token
$ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name]
Name:         [sa_name]-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1070 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiI...
      ServiceAccount connected Secret, token query result

    Creating Admin Token

    1. Create a Namespace to create a ServiceAccount. If it already exists, proceed to the next step.
      Color mode
      $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
      $ kubectl create namespace [namespace_name]

# ex) kubectl create namespace my-app
      Admin Token creation command
    2. Create a [namespace_name]-additional-cluster-admin-sa.yaml file and execute it.
      Color mode
      apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
      apiVersion: v1
kind: ServiceAccount
metadata:
name: [namespace_name]-additional-cluster-admin
namespace: [namespace_name]
      ServiceAccount creation example
      Color mode
      # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
      # Create ServiceAccount
$ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name]

# ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app
      ServiceAccount creation command
    3. Create a [namespace_name]-additional-cluster-admin-crb.yaml file and execute it.
      Color mode
      kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
      kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: [namespace_name]-additional-cluster-admin
subjects:
- kind: ServiceAccount
  name: [namespace_name]-additional-cluster-admin
  namespace: [namespace_name]
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
      ClusterRoleBinding creation example
      Color mode
      # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
      # Create ClusterRoleBinding
$ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml

# ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml
      ClusterRoleBinding creation command
    4. Check the Secret connected to the ServiceAccount and query the token (Admin Token).
      Color mode
      # Query Secret
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Query token
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
      # Query Secret
$ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin
[namespace_name]-additional-cluster-admin-token-xxxxx   kubernetes.io/service-account-token   3      4m53s

# Query token
$ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name]
Name:         [namespace_name]-additional-cluster-admin-token-xxxxx
...<omitted>...
Data
====
ca.crt:     1111 bytes
namespace:  6 bytes
token:      eyJhbGciOiJSUzI1Ni...
      ServiceAccount connected Secret, token query result
      Note
      If the created Secret does not exist (in Kubernetes version 1.24 or later), create it manually and query the token.
      Color mode
      apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
      apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: [namespace_name]-additional-cluster-admin-token
namespace: [namespace_name]
annotations:
kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"
      Secret creation example

    Checking Admin Token validity

    You can check the validity of the queried Admin Token value by modifying the ~/.kube/config file.

    1. Modify the ~/.kube/config file to use the token for user authentication.
      ex) users[0].user.token Modify to input the Admin Token value.
      Color mode
      apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
      apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0...
    server: https://devopscluster-12345.sk...
  name: devopscluster-12345
contexts:
- context:
    cluster: devopscluster-12345
    user: user
  name: user@devopscluster-12345
current-context: user@devopscluster-12345
kind: Config
users:
- name: user
  user:
    token: [admin_token]
      ~/.kube/config modification example
    2. Execute the kubectl command to check if you have cluster-admin permissions.
      Color mode
      $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Execute other commands
      $ kubectl get nodes
$ kubectl get namespace
$ kubectl get all -n kube-system
$ kubectl create namespace admin-test
$ kubectl delete namespace admin-test

# Execute other commands
      cluster-admin permission check command