Dashboard: Dashboard --token-ttl is not working

Created on 8 Mar 2018  路  15Comments  路  Source: kubernetes/dashboard
Environment

Dashboard version: 1.8.3
Kubernetes version: 1.9.3
Operating system: Ubuntu LTS 16.04

Steps to reproduce

1) Setup tokens in the api-server using --token-auth-file=/etc/kubernetes/pki/tokens.csv and restart
2) Add --token-ttl=43200 to the dashboard deployment and restart

Observed result

1) Log on to the dashboard using a token
2) Wait for 20 minutes
3) Attempt to use dashboard
4) Requires logging on again as it appear jwe still expiring after 15 minutes

Expected result

That the jwetoken remains valid for 12 hours and we will not require authenticating until the 12 hours are up.

Comments

dashboard deployment yaml:-

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
    k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
        ports:
    - containerPort: 8443
          protocol: TCP
        args:
          - --tls-key-file=k8sm.key
          - --tls-cert-file=k8sm.crt
          - --token-ttl=43200
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: "node-role.kubernetes.io/master"
                  operator: "Exists"
picture Michael-Baylis
👍7

Most helpful comment

@Michael-Baylis I have tried a variety of token-ttl values, from 0/infinite to 604800/7 days. Nonetheless, I am logged out consistently throughout the day.

You mention:

Setup tokens in the api-server using --token-auth-file=/etc/kubernetes/pki/tokens.csv and restart

But I do not see that in the file you posted. I only altered/added the token-ttl to the default manifest:

      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # add no timeout for token - 0 didn't work - make it 7 days?
          - --token-ttl=604800

am I missing something? continuously grabbing a token is driving me crazy.

picture rosskevin on 14 Aug 2018
👍4

All 15 comments

This works for me:
kubectl edit deployment kubernetes-dashboard -n kube-system

Add below like yours:

        args:
          - --tls-key-file=k8sm.key
          - --tls-cert-file=k8sm.crt
          - --token-ttl=43200

edit and save successfully, and then I reload the dashboard, i can find the args are there:
https://NodeIP:NodePort/#!/pod/kube-system/kubernetes-dashboard-54b79ffb7b-gdf8v?namespace=kube-system
image

Wait for 45 mins, I still can access the dashboard without authentication(I set an alias ns=kube-system):
image

ykfq picture ykfq on 14 Mar 2018
👍3

@ykfq you are at the 1.7.1 level. I was running 1.8.3. Would it be possible for you to try the latest version?

Michael-Baylis picture Michael-Baylis on 14 Mar 2018

For some very odd reason, it appears to be working now on my newly built k8s cluster. so closing.

Michael-Baylis picture Michael-Baylis on 26 Mar 2018

i also meet the issue.
you can use
args: [ ... "--token-ttl=43200"]
will ok.

foxundermoon picture foxundermoon on 31 May 2018
👍1

@Michael-Baylis I have tried a variety of token-ttl values, from 0/infinite to 604800/7 days. Nonetheless, I am logged out consistently throughout the day.

You mention:

Setup tokens in the api-server using --token-auth-file=/etc/kubernetes/pki/tokens.csv and restart

But I do not see that in the file you posted. I only altered/added the token-ttl to the default manifest:

      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # add no timeout for token - 0 didn't work - make it 7 days?
          - --token-ttl=604800

am I missing something? continuously grabbing a token is driving me crazy.

rosskevin picture rosskevin on 14 Aug 2018
👍4

@rosskevin This argument is related to the internal token used by Dashboard. It does not change a life of the token used to log in, so in case that your token has TTL of i.e. 60 min then this param will not change it. The original token is stored in an encrypted JWE token and it is then decrypted and used by our backend to communicate with API server. I am assuming that this is your issue.

floreks picture floreks on 14 Aug 2018

Thanks @floreks - is there an arg I missed to change the ttl of the browser log in token? or is that currently not configurable?

rosskevin picture rosskevin on 14 Aug 2018

@rosskevin Unfortunately, there is no option to extend a life of the original token used to log in as in most scenarios it requires communication with external IdP to refresh the token. We are planning to add support for external IdPs to Dashboard. No ETA though.

floreks picture floreks on 14 Aug 2018
👍3 👎1

@rosskevin I have no idea why it suddenly started working for me when I created a new cluster and why it wasn't working in the first place, I am afraid. All I know it is still working with a 12 hour token. Fairly sure there is a defect in there somewhere, but it is very subtle.

ishanagi picture ishanagi on 20 Aug 2018

I am having the same issue on Kubernetes Dashboard 1.10.0. token-ttl argument just disappears after some time (Pod gets restarted without it and Deployment also loses token-ttl for some reason).

Can we reopen this issue or should i create new one?

vasicvuk picture vasicvuk on 5 Sep 2018

@vasicvuk Create new one with detailed description. Remember to link to this issue.

maciaszczykm picture maciaszczykm on 5 Sep 2018

I'm facing the same issue.
/dashboard --insecure-bind-address=0.0.0.0 --bind-address=0.0.0.0 --auto-generate-certificates=false --tls-cert-file=dashboard.crt --tls-key-file=dashboard.key --token-ttl=43200
and still after 5 min got disconnected.

pykita picture pykita on 28 Nov 2018

I'm facing the same issue.
I am using kubernetesVersion: 1.11.5
I have added "---token-ttl=43200"
but still my dashboard session is expiring every 15 mints

sateeshganni picture sateeshganni on 16 Jan 2019
👍1

i also meet the issue.
you can use
args: [ ... "--token-ttl=43200"]
will ok.

I had the same issue, ended up editing my args from the terminal as you described and it stopped failing. Thanks

flamberge552 picture flamberge552 on 23 Apr 2019

I'm facing the same issue.
I am using kubernetesVersion: 1.11.5
I have added "---token-ttl=43200"
but still my dashboard session is expiring every 15 mints

Looks like you have too many "-" characters there bud

flamberge552 picture flamberge552 on 23 Apr 2019
😄3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maciaszczykm picture maciaszczykm  路  3Comments
Fohlen picture Fohlen  路  4Comments
kairen picture kairen  路  4Comments
kasunsjc picture kasunsjc  路  3Comments
andrei-dascalu picture andrei-dascalu  路  3Comments