which token to use for kubernetes-dashboard login with Google cloud platform

kubernetes dashboard heapster
kubernetes-dashboard nodeport
kubernetes dashboard deprecated
kubernetes dashboard enable-skip-login
kubernetes dashboard authentication
how to access kubernetes dashboard remotely
docker desktop kubernetes dashboard

I'm using Google cloud platform and Kubernetes.

I'm trying to find out which token should I use in order to login to the dashboard and have enough permissions to do as I please.

I created a 3-node Kubernetes 1.8.6 cluster on Google Cloud Platform

my developer desktop is a Mac Pro (late 2013) on macos high sierra 10.13.2 with google-cloud-sdk and kubernetes-cli installed from homebrew.

~ ❯❯❯ kubectl version                                                                                                         ✘ 1
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.6-gke.0", GitCommit:"ee9a97661f14ee0b1ca31d6edd30480c89347c79", GitTreeState:"clean", BuildDate:"2018-01-05T03:36:42Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}


~ ❯❯❯ gcloud version
Google Cloud SDK 184.0.0
bq 2.0.28
core 2018.01.05
gsutil 4.28

I read in the docs that it's not safe to create an admin user for the dashboard, unfortunately the all permissions to the dashboard pod confuses me a bit.

when I execute kubectl get secrets -n kube-system and decode one of the tokens with kubectl get secret <TOKEN_NAME> -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

and use that to login using the kubectl web proxy I started with the command kubectl proxy, I get lots of permissions errors when I try to view any of the pages in the dashboard web interface. I probably don't use the proper token.. or I need to create a new token.

Is there a way to view the permissions of the tokens so I'll know before hand what I'm actually trying to login with?


so I ran kubectl to get all the secret tokens in kube-system namespace:

~ ❯❯❯ kubectl get secrets -n kube-system
NAME                                     TYPE                                  DATA      AGE
attachdetach-controller-token-4pp92      kubernetes.io/service-account-token   3         10m
certificate-controller-token-bqnjp       kubernetes.io/service-account-token   3         10m
cloud-provider-token-ltbnh               kubernetes.io/service-account-token   3         10m
cronjob-controller-token-84cl9           kubernetes.io/service-account-token   3         10m
daemon-set-controller-token-ncz5r        kubernetes.io/service-account-token   3         10m
default-token-fpmht                      kubernetes.io/service-account-token   3         10m
deployment-controller-token-4xc8k        kubernetes.io/service-account-token   3         10m
disruption-controller-token-9gdqg        kubernetes.io/service-account-token   3         10m
endpoint-controller-token-gr29m          kubernetes.io/service-account-token   3         10m
event-exporter-sa-token-6klz5            kubernetes.io/service-account-token   3         10m
fluentd-gcp-token-s2kk4                  kubernetes.io/service-account-token   3         10m
generic-garbage-collector-token-tqbqz    kubernetes.io/service-account-token   3         10m
heapster-token-7pgmr                     kubernetes.io/service-account-token   3         10m
horizontal-pod-autoscaler-token-74v57    kubernetes.io/service-account-token   3         10m
job-controller-token-2skhj               kubernetes.io/service-account-token   3         10m
kube-dns-autoscaler-token-wc9gz          kubernetes.io/service-account-token   3         10m
kube-dns-token-nx2tf                     kubernetes.io/service-account-token   3         10m
kubernetes-dashboard-certs               Opaque                                0         10m
kubernetes-dashboard-key-holder          Opaque                                2         9m
kubernetes-dashboard-token-zxp7n         kubernetes.io/service-account-token   3         10m
namespace-controller-token-tz54r         kubernetes.io/service-account-token   3         10m
node-controller-token-m2w7k              kubernetes.io/service-account-token   3         10m
persistent-volume-binder-token-6sfkt     kubernetes.io/service-account-token   3         10m
pod-garbage-collector-token-zqxhd        kubernetes.io/service-account-token   3         10m
replicaset-controller-token-8n6b7        kubernetes.io/service-account-token   3         10m
replication-controller-token-nb2tw       kubernetes.io/service-account-token   3         10m
resourcequota-controller-token-blhfg     kubernetes.io/service-account-token   3         10m
route-controller-token-c5ns6             kubernetes.io/service-account-token   3         10m
service-account-controller-token-zptxc   kubernetes.io/service-account-token   3         10m
service-controller-token-75hht           kubernetes.io/service-account-token   3         10m
statefulset-controller-token-fhpk8       kubernetes.io/service-account-token   3         10m
ttl-controller-token-5vwln               kubernetes.io/service-account-token   3         10m

then I executed

kubectl get secret kubernetes-dashboard-token-zxp7n -n=kube-system -o json | jq -r '.data["token"]' | base64 -D > user_token.txt

and used that token to login.

after login I get the following messages:

configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list daemonsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
pods is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
events is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list events in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
deployments.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list deployments.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
replicasets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicasets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
jobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list jobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list cronjobs.batch in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list replicationcontrollers in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list statefulsets.apps in the namespace "default": Unknown user "system:serviceaccount:kube-system:kubernetes-dashboard"

any ideas why ?

All secrets in kube-system namespace have full access. You can create new secrets, need grant this access

GKE Dashboards | Kubernetes Engine Documentation, gcloud is included in the Google Cloud SDK. kubectl is used to manage Kubernetes, the cluster orchestration system used by Kubernetes Engine. In conjunction with the gcloud and kubectl command-line tools, the GKE dashboards are helpful for DevOps workflows, troubleshooting issues, and when working with multiple GKE clusters or Google Cloud Platform projects. Rather than using the command-line to query clusters for information about their resources, you can use these dashboards to get information about all resources in every cluster quickly and easily.

After you connect the cluster with gcloud container clusters get-credentials. Use the following command to get the access token of current-context

kubectl config view | grep -A10 "name: $(kubectl config current-context)" | awk '$1=="access-token:"{print $2}'

Authenticating to Cloud Platform with Service Accounts, You can use Dashboard to deploy containerized applications to a Kubernetes Currently, Dashboard only supports logging in with a Bearer Token. image (​commonly hosted on the Google Container Registry or Docker Hub). Storage view shows Persistent Volume Claim resources which are used by  There is also RedHat’s OpenShift platform which has a firm market share of the Kubernetes market, but here I want to venture into how to use Google Kubernetes Engine (GKE) on Google Cloud

More reliable alternative to this answer is using jsonpath:

kubectl config view -o jsonpath="{.users[?(@.name == \"$(kubectl config current-context)\")].user.auth-provider.config.access-token}"

Web UI (Dashboard), In this deep dive into the Kubernetes Dashboard, we will go through the For the purposes of this tutorial, we will use the token authentication method. Copy the token and enter it into the token field on the Kubernetes dashboard login page. Nodes, Persistent Volumes, Roles and Storage Classes. kubernetes / dashboard. Watch 267 Star 7.6k Fork 2.1k Code. Issues Not able to login with token #3216. chrissound opened this issue Aug 17, 2018 · 5 comments

gcloud doesn't put the credentials into the kubeconfig but keeps them in its own files.

With GKE you can get a token for your GCloud account - much nicer than repurposing one from a Service Account.

Assuming that you have jq installed you can get your personal access token like this:

gcloud get-credentials <GKE cluster name> --zone <zone> --project <project>
gcloud config config-helper --format=json | jq .credential.access_token

The Ultimate Guide to the Kubernetes Dashboard: How to Install , First, the Kubernetes Dashboard had elevated privileges on the cluster. Preferred: Use an authenticating proxy (example in the tutorial section). One gotcha: The login page only works if you are using token auth to access the API Server. Started Google Compute Engine, Kubernetes and Google Container Engine. You use the client ID and one private key to create a signed JWT and construct an access-token request in the appropriate format. Your application then sends the token request to the Google OAuth 2.0 Authorization Server, which returns an access token. The application uses the token to access a Google API.

I experienced the same issue - in my case the solution was to get the access token from kubectl config view:

        access-token: <YOUR ACCESS TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/lib/google-cloud-sdk/bin/gcloud
        expiry: 2018-02-12T13:36:51Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

On Securing the Kubernetes Dashboard, Joel Speed, Cloud Infrastructure Engineer, Pusher is currently helping Pusher build their internal Kubernetes Platform. Since Kubernetes version 1.7.0, the dashboard has had a login page. Alternatively, the dashboard supports the use of authorization headers to supply bearer tokens (Authorization:  Google Cloud Platform lets you build, deploy, and scale applications, websites, and services on the same infrastructure as Google.

Single Sign-On for Kubernetes: Dashboard Experience, kubernetes Dashboard setup login with token Book kubernetes for DevOps: You Duration: 1:50 Posted: Jul 15, 2018 kubernetes Dashboard setup login with token Book kubernetes for DevOps: https://leanpub.com/kube/ reference https://8gwifi.org/docs/kube-dash.jsp Dashboard is a web

kubernetes dashboard setup login with token, Kubernetes Dashboard is a web-based user interface to visualize the You can use the generated token (as shown above) to login to the dashboard. Probably the best managed WordPress cloud platform to host small to enterprise sites. Kinsta leverages Google's low latency network infrastructure to  Simple tutorial on how to setup Kubernetes RBAC with Google Cloud Identity Platform Custom Tokens. These JWT tokens provided by identity platform support custom_claims where an admin can define…

Kubernetes Dashboard, Launchpad ›. The software collaboration platform behind Ubuntu. Login › The standard Kubernetes Dashboard is a convenient way to keep track of the activity token=$(microk8s kubectl -n kube-system get secret | grep default-token | cut -d to expose the Dashboard to other hosts, you should also use the --address  Google Cloud APIs use the OAuth 2.0 protocol for authenticating both user accounts and service accounts. The OAuth 2.0 authentication process determines both the principal and the application. The OAuth 2.0 authentication process determines both the principal and the application.

  • but when I use any of those tokens i get errors. updating main post
  • Yep :) try use default token in kube-system namespace
  • example: default-token-qx613
  • it appears that kubernetes in GCP created a usable token in the default namespace. once used that, it worked.
  • Why isn't this higher voted? Whatever it does the token works with the current version as of this time! Thanks