Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dashboard --token-ttl is not working #2882

Closed
Michael-Baylis opened this issue Mar 8, 2018 · 15 comments
Closed

Dashboard --token-ttl is not working #2882

Michael-Baylis opened this issue Mar 8, 2018 · 15 comments

Comments

@Michael-Baylis
Copy link

Environment

Dashboard version: 1.8.3
Kubernetes version: 1.9.3
Operating system: Ubuntu LTS 16.04

Steps to reproduce
  1. Setup tokens in the api-server using --token-auth-file=/etc/kubernetes/pki/tokens.csv and restart
  2. Add --token-ttl=43200 to the dashboard deployment and restart
Observed result
  1. Log on to the dashboard using a token
  2. Wait for 20 minutes
  3. Attempt to use dashboard
  4. Requires logging on again as it appear jwe still expiring after 15 minutes
Expected result

That the jwetoken remains valid for 12 hours and we will not require authenticating until the 12 hours are up.

Comments

dashboard deployment yaml:-

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
	k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
        ports:
	- containerPort: 8443
          protocol: TCP
        args:
          - --tls-key-file=k8sm.key
          - --tls-cert-file=k8sm.crt
          - --token-ttl=43200
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: "node-role.kubernetes.io/master"
                  operator: "Exists"
@ykfq
Copy link

ykfq commented Mar 14, 2018
edited

This works for me:
kubectl edit deployment kubernetes-dashboard -n kube-system

Add below like yours:

        args:
          - --tls-key-file=k8sm.key
          - --tls-cert-file=k8sm.crt
          - --token-ttl=43200

edit and save successfully, and then I reload the dashboard, i can find the args are there:
https://NodeIP:NodePort/#!/pod/kube-system/kubernetes-dashboard-54b79ffb7b-gdf8v?namespace=kube-system
image

Wait for 45 mins, I still can access the dashboard without authentication(I set an alias ns=kube-system):
image

@Michael-Baylis
Copy link
Author

@ykfq you are at the 1.7.1 level. I was running 1.8.3. Would it be possible for you to try the latest version?

@Michael-Baylis
Copy link
Author

For some very odd reason, it appears to be working now on my newly built k8s cluster. so closing.

@foxundermoon
Copy link

i also meet the issue.
you can use
args: [ ... "--token-ttl=43200"]
will ok.

@rosskevin
Copy link

@Michael-Baylis I have tried a variety of token-ttl values, from 0/infinite to 604800/7 days. Nonetheless, I am logged out consistently throughout the day.

You mention:

Setup tokens in the api-server using --token-auth-file=/etc/kubernetes/pki/tokens.csv and restart

But I do not see that in the file you posted. I only altered/added the token-ttl to the default manifest:

      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # add no timeout for token - 0 didn't work - make it 7 days?
          - --token-ttl=604800

am I missing something? continuously grabbing a token is driving me crazy.

@floreks
Copy link
Member

floreks commented Aug 14, 2018
edited

@rosskevin This argument is related to the internal token used by Dashboard. It does not change a life of the token used to log in, so in case that your token has TTL of i.e. 60 min then this param will not change it. The original token is stored in an encrypted JWE token and it is then decrypted and used by our backend to communicate with API server. I am assuming that this is your issue.

@rosskevin
Copy link

Thanks @floreks - is there an arg I missed to change the ttl of the browser log in token? or is that currently not configurable?

@floreks
Copy link
Member

floreks commented Aug 14, 2018

@rosskevin Unfortunately, there is no option to extend a life of the original token used to log in as in most scenarios it requires communication with external IdP to refresh the token. We are planning to add support for external IdPs to Dashboard. No ETA though.

@ishanagi
Copy link

@rosskevin I have no idea why it suddenly started working for me when I created a new cluster and why it wasn't working in the first place, I am afraid. All I know it is still working with a 12 hour token. Fairly sure there is a defect in there somewhere, but it is very subtle.

@vasicvuk
Copy link

vasicvuk commented Sep 5, 2018
edited

I am having the same issue on Kubernetes Dashboard 1.10.0. token-ttl argument just disappears after some time (Pod gets restarted without it and Deployment also loses token-ttl for some reason).

Can we reopen this issue or should i create new one?

@maciaszczykm
Copy link
Member

maciaszczykm commented Sep 5, 2018
edited

@vasicvuk Create new one with detailed description. Remember to link to this issue.

@pykita
Copy link

pykita commented Nov 28, 2018

I'm facing the same issue.
/dashboard --insecure-bind-address=0.0.0.0 --bind-address=0.0.0.0 --auto-generate-certificates=false --tls-cert-file=dashboard.crt --tls-key-file=dashboard.key --token-ttl=43200
and still after 5 min got disconnected.

@sateeshganni
Copy link

I'm facing the same issue.
I am using kubernetesVersion: 1.11.5
I have added "---token-ttl=43200"
but still my dashboard session is expiring every 15 mints

@flamberge552
Copy link

i also meet the issue.
you can use
args: [ ... "--token-ttl=43200"]
will ok.

I had the same issue, ended up editing my args from the terminal as you described and it stopped failing. Thanks

@flamberge552
Copy link

I'm facing the same issue.
I am using kubernetesVersion: 1.11.5
I have added "---token-ttl=43200"
but still my dashboard session is expiring every 15 mints

Looks like you have too many "-" characters there bud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests