2023. 3. 21. 17:57ㆍDev
This article describes an error that occurs when installing the Kubernetes dashboard on Kubernetes 1.24 and how to fix it.
1. Error getting a token to log in to kube-dashboard
As of Kubernetes 1.24, creating a service account does not generate a token as secret.
What happend
kubectl get sa token to login dashboard
error: error executing template "{{.data.token | base64decode}}": template: output:1:16: executing "output" at : invalid value; expected string
when create user account
kubectl -n kube-system describe secret
No resources found in kube-system namespace.
kubectl -n kubernetes-dashboard describe secret
No resources found in kubernetes-dashboard namespace.
Why this error occurred & How to fix it
kubectl version is out of date
AWS Docs are out of date
https://github.com/kubernetes/dashboard
GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
General-purpose web UI for Kubernetes clusters. Contribute to kubernetes/dashboard development by creating an account on GitHub.
github.com
See the official kubernetes-dashboard github readme.
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
General-purpose web UI for Kubernetes clusters. Contribute to kubernetes/dashboard development by creating an account on GitHub.
github.com
2. Kubernetes Dashboard session expired too quickly.
What happend
Kubernetes dashboard sessions expire after 15 minutes.
Why this error occurred & How to fix it
Expiration time (in seconds) of JWE tokens generated by dashboard. '0' never expires.
kubectl edit deploy kubernetes-dashboard -n kubernetes-dashboard
set token ttl in containers args
--token-ttl=0
Name: kubernetes-dashboard
Namespace: kubernetes-dashboard
CreationTimestamp: Thu, 23 Feb 2023 19:42:48 +0900
Labels: k8s-app=kubernetes-dashboard
Annotations: deployment.kubernetes.io/revision: 2
Selector: k8s-app=kubernetes-dashboard
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: k8s-app=kubernetes-dashboard
Service Account: kubernetes-dashboard
Containers:
kubernetes-dashboard:
Image: kubernetesui/dashboard:v2.4.0
Port: 8443/TCP
Host Port: 0/TCP
Args:
--auto-generate-certificates
--namespace=kubernetes-dashboard
**--token-ttl=0**
https://github.com/kubernetes/dashboard/blob/master/docs/common/dashboard-arguments.md
GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
General-purpose web UI for Kubernetes clusters. Contribute to kubernetes/dashboard development by creating an account on GitHub.
github.com
3. Login token expired too quickly.
Kubernetes Dashboard Token Expired Issue1
What happend
login token expired too quickly.
Why this error occurred & How to fix it
Before v1.22, it generated long-term tokens.
Later versions do not.
Note:
Versions of Kubernetes before v1.22 automatically created long term credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods. In more recent versions, including Kubernetes v1.26, API credentials are obtained directly by using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.
You can still manually create a service account token Secret; for example, if you need a token that never expires. However, using the TokenRequest subresource to obtain a token to access the API is recommended instead.
https://github.com/kubernetes/dashboard/issues/7444
Kubernetes Dashboard Token Expiration Issue · Issue #7444 · kubernetes/dashboard
What would you like to be added? I have configured Kubernetes Dashboard in my AKS. I have used token system to login in dashboard but after generating token it is going to expired after few minutes...
github.com
kubectl create token with duration parameter.
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-
Kubectl Reference Docs
kubernetes.io
# Request a token with a custom expiration
kubectl create token myapp --duration 10m
Options:
--duration=0s:
Requested lifetime of the issued token. The server may return a token with a longer or shorter lifetime.
4. How to Create long-lived token
Kubernetes Dashboard Token Expired Issue2
What happend
The token is valid for up to one day (86400 seconds)
kubectl -n kubernetes-dashboard create token admin-user --duration 720h
Warning: requested expiration of 2592000 seconds shortened to 86400 seconds
eyJhbGciOiJSUzI1NiIsImxxxxxxxxxxxxxxxxxxxxx~~~
Why this error occurred & How to fix it
Manually create a long-lived API token for a ServiceAccount
Configure Service Accounts for Pods
Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server. A service account provides an identity for processes that run in a Pod, a
kubernetes.io
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: admin-user-secret
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: admin-user
type: kubernetes.io/service-account-token
EOF
Describe secret and get token
(Use this!) The token value from this command is the base64 decoded value.
kubectl describe secret/admin-user-secret -n kubernetes-dashboard
The token value returned by this command is a base64 encoded value.
kubectl get secret/admin-user-secret -n kubernetes-dashboard -o yaml
'Dev' 카테고리의 다른 글
| 컨피그레이션 드리프트란? Configuration Drift (0) | 2023.04.25 |
|---|---|
| find log where string does not exist, with grep -iv (0) | 2023.04.25 |
| Kubernetes Pod Warning: 1 node(s) had volume node affinity conflict (0) | 2023.02.22 |
| 2023년 AWS 시험 프로모션 코드 (0) | 2023.02.20 |
| 윈도우 wsl2 터미널 창 분할 단축키 (0) | 2023.02.10 |