Creating a Kubernetes Dashboard Token

Question

I'm trying to follow the instructions at https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md to create a Kubernetes Dashboard token. However, when I run the specified command, I get an error

% kubectl -n kubernetes-dashboard create token admin-user
Error: must specify one of -f and -k

error: unknown command "token admin-user"
See 'kubectl create -h' for help and examples

If I jump back in the doc history, I see a different, more verbose command that I can run

% kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

This seems to work OK and PR for the doc change mentions "version 1.24" but doesn't mention what piece of software version 1.24 refers to (kubectl? The Dashboard? Kuberenetes itself? kind? Something else?)

So what's going on with that first command? Why doesn't it work?

Answer 1

for me Sushmita's version didnt work.

it gave following error:

error: there is no need to specify a resource type as a separate argument when passing arguments in resource/name form (e.g. 'kubectl get resource/<resource_name>' instead of 'kubectl get resource resource/<resource_name>'

but separating two commands worked for me:

Step 1:

kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}"

which returned : admin-user-token-mxmxx

Step 2:

kubectl -n kubernetes-dashboard get secret admin-user-token-mxmxx -o go-template="{{.data.token | base64decode}}"

Answer 2

If your version is lower than 1.24, please run the following command.

kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

This works in my case. Thanks.

Answer 3

This is a new feature in kubernetes 1.24, your cluster and kubectl must be running <1.24 version of Kubernetes, causing the issue. See the change log below:

kubectl create token can now be used to request a service account token, and permission to request service account tokens is added to the edit and admin RBAC roles (#107880, @liggitt)

Another snippet showing more relevant info:

Kubectl changes:

Adds a command to kubectl to request a bound service account token. This will help ease the transition from scraping generated service account tokens with commands like kubectl get secret "$(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}')"

Both server and client must be running 1.24 or newer, something like below:

kubectl version --output=json
{
  "clientVersion": {
    "major": "1",
    "minor": "24",
    "gitVersion": "v1.24.0",
    "gitCommit": "4ce5a8954017644c5420bae81d72b09b735c21f0",
    "gitTreeState": "clean",
    "buildDate": "2022-05-03T13:46:05Z",
    "goVersion": "go1.18.1",
    "compiler": "gc",
    "platform": "linux/amd64"
  },
  "kustomizeVersion": "v4.5.4",
  "serverVersion": {
    "major": "1",
    "minor": "24",
    "gitVersion": "v1.24.2",
    "gitCommit": "f66044f4361b9f1f96f0053dd46cb7dce5e990a8",
    "gitTreeState": "clean",
    "buildDate": "2022-06-15T14:15:38Z",
    "goVersion": "go1.18.3",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

check this for more info: https://github.com/kubernetes/kubernetes/pull/107880