To register a K8S cluster, you must verify the cluster’s Admin Token.
An Admin Token refers to the token value of a ServiceAccount that has the ClusterRole/cluster-admin bound by a ClusterRoleBinding.
Preparation before start
information
Before checking the Admin Token, review and prepare the following.
- Environment where the kubectl CLI can be used
- Check cluster admin permissions
- View and create ClusterRole, ClusterRoleBinding
- Namespace and ServiceAccount lookup and creation
- The cluster-admin ClusterRole is listed.
Color mode
$ kubectl get clusterrole cluster-admin
NAME CREATED AT
cluster-admin 2022-12-09T08:21:50Z$ kubectl get clusterrole cluster-admin
NAME CREATED AT
cluster-admin 2022-12-09T08:21:50ZQuery Admin Token
View existing generated Admin Token
- Retrieve the ClusterRoleBinding that has ClusterRole/cluster-admin bound.
- Check the ServiceAccount that is bound by a ClusterRoleBinding.Color mode
# admin token lookup $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin [crb_name] ClusterRole/cluster-admin 77d $ kubectl describe clusterrolebinding [crb_name] Name: [crb_name] Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount [sa_name] [namespace_name]# admin token lookup $ kubectl get clusterrolebinding | grep ClusterRole/cluster-admin [crb_name] ClusterRole/cluster-admin 77d $ kubectl describe clusterrolebinding [crb_name] Name: [crb_name] Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount [sa_name] [namespace_name]Result of retrieving previously generated Admin Token - Check the Secret associated with the ServiceAccount and retrieve the token (Admin Token).Color mode
# Secret lookup $ kubectl get secret -n [namespace_name] | grep [sa_name] [sa_name]-token-xxxxx kubernetes.io/service-account-token 3 77d # token lookup $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name] Name: [sa_name]-token-xxxxx ...<중략>... Data ==== ca.crt: 1070 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiI...# Secret lookup $ kubectl get secret -n [namespace_name] | grep [sa_name] [sa_name]-token-xxxxx kubernetes.io/service-account-token 3 77d # token lookup $ kubectl describe secret [sa_name]-token-xxxxx -n [namespace_name] Name: [sa_name]-token-xxxxx ...<중략>... Data ==== ca.crt: 1070 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiI...Result of retrieving the Secret and token associated with the ServiceAccount
Create Admin Token
- Create the Namespace for the ServiceAccount. If it already exists, proceed to the next step.Color mode
$ kubectl create namespace [namespace_name] # ex) kubectl create namespace my-app$ kubectl create namespace [namespace_name] # ex) kubectl create namespace my-appAdmin Token creation command - Create the [namespace_name]-additional-cluster-admin-sa.yaml file and then run it.Color mode
apiVersion: v1 kind: ServiceAccount metadata: name: [namespace_name]-additional-cluster-admin namespace: [namespace_name]apiVersion: v1 kind: ServiceAccount metadata: name: [namespace_name]-additional-cluster-admin namespace: [namespace_name]ServiceAccount creation example Color mode# Create ServiceAccount $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name] # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-app# Create ServiceAccount $ kubectl apply -f [namespace_name]-additional-cluster-admin-sa.yaml -n [namespace_name] # ex) kubectl apply -f my-app-additional-cluster-admin-sa.yaml -n my-appServiceAccount creation command - Create the [namespace_name]-additional-cluster-admin-crb.yaml file and then run it.Color mode
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [namespace_name]-additional-cluster-admin subjects: - kind: ServiceAccount name: [namespace_name]-additional-cluster-admin namespace: [namespace_name] roleRef: kind: ClusterRole name: cluster-admin apiGroup: ""kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [namespace_name]-additional-cluster-admin subjects: - kind: ServiceAccount name: [namespace_name]-additional-cluster-admin namespace: [namespace_name] roleRef: kind: ClusterRole name: cluster-admin apiGroup: ""Example of creating a ClusterRoleBinding Color mode# Create ClusterRoleBinding $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yaml# Create ClusterRoleBinding $ kubectl apply -f [namespace_name]-additional-cluster-admin-crb.yaml # ex) kubectl apply -f my-app-additional-cluster-admin-crb.yamlCommand to create a ClusterRoleBinding - Check the Secret associated with the ServiceAccount and retrieve the token (Admin Token).Color mode
# Secret lookup $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin [namespace_name]-additional-cluster-admin-token-xxxxx kubernetes.io/service-account-token 3 4m53s # Token lookup $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name] Name: [namespace_name]-additional-cluster-admin-token-xxxxx ...<중략>... Data ==== ca.crt: 1111 bytes namespace: 6 bytes token: eyJhbGciOiJSUzI1Ni...# Secret lookup $ kubectl get secret -n [namespace_name] | grep [namespace_name]-additional-cluster-admin [namespace_name]-additional-cluster-admin-token-xxxxx kubernetes.io/service-account-token 3 4m53s # Token lookup $ kubectl describe secret [namespace_name]-additional-cluster-admin-token-xxxxx -n [namespace_name] Name: [namespace_name]-additional-cluster-admin-token-xxxxx ...<중략>... Data ==== ca.crt: 1111 bytes namespace: 6 bytes token: eyJhbGciOiJSUzI1Ni...Result of retrieving the Secret and token associated with the ServiceAccount ReferenceIf there is no generated Secret (afterKuberentes 1.24), create one manually and then retrieve the token.Color modeapiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: [namespace_name]-additional-cluster-admin-token namespace: [namespace_name] annotations: kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: [namespace_name]-additional-cluster-admin-token namespace: [namespace_name] annotations: kubernetes.io/service-account.name: "[namespace_name]-additional-cluster-admin"Example of creating a secret
Verify Admin Token Validity
You can verify the validity of the retrieved Admin Token value by editing the ~/.kube/config file.
- Modify
~/.kube/configto use a token for user authentication.
Modify toex) users[0].user.tokenand then enter the Admin Token value.Color modeapiVersion: v1 clusters: - cluster: certificate-authority-data: LS0... server: https://devopscluster-12345.sk... name: devopscluster-12345 contexts: - context: cluster: devopscluster-12345 user: user name: user@devopscluster-12345 current-context: user@devopscluster-12345 kind: Config users: - name: user user: token: [admin_token]apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0... server: https://devopscluster-12345.sk... name: devopscluster-12345 contexts: - context: cluster: devopscluster-12345 user: user name: user@devopscluster-12345 current-context: user@devopscluster-12345 kind: Config users: - name: user user: token: [admin_token]Example of editing ~/.kube/config - Run the
kubectlcommand to verify that you have cluster-admin privileges.Color mode$ kubectl get nodes $ kubectl get namespace $ kubectl get all -n kube-system $ kubectl create namespace admin-test $ kubectl delete namespace admin-test # Run other commands$ kubectl get nodes $ kubectl get namespace $ kubectl get all -n kube-system $ kubectl create namespace admin-test $ kubectl delete namespace admin-test # Run other commandsCommand to check cluster-admin permissions