Understanding Kubernetes API Server Authentication, Authorization, and Dashboard Deployment

1. apiserver and its clients – The apiserver is the sole entry point for all cluster access. Pods such as CoreDNS and user‑facing tools like the Dashboard interact with it. Access follows the flow: authentication → authorization → admission control.

2. Authentication

Two main plugins are supported:

Token authentication – a shared secret passed in the HTTP Authorization header.

SSL/TLS authentication – mutual certificate verification between client and server.

Kubernetes distinguishes two account types: ServiceAccount – used by processes inside Pods to call the API. User account – represents human users accessing the cluster.

Each Pod automatically receives a serviceAccountName (default is default unless overridden). The associated secret mounts a token volume (e.g., default-token-***) that the Pod uses for API calls.

3. Authorization

Kubernetes uses plug‑in based authorizers; common ones include Node, ABAC, RBAC, and Webhook. RBAC (Role‑Based Access Control) defines permissions in Role or ClusterRole objects and binds them to users via RoleBinding or ClusterRoleBinding. Namespace‑scoped bindings grant access only within that namespace, while cluster‑scoped bindings grant cluster‑wide rights.

4. Admission Control

After authorization, admission controllers perform additional checks (e.g., mutating or validating webhooks) during object creation, update, or deletion.

Installing and Accessing Kubernetes Dashboard 2.0

1. Load the Dashboard image onto each node:

docker load -i dashboard_2_0_0.tar.gz
docker load -i metrics-scraper-1_0_1.tar.gz

2. Apply the manifest:

kubectl apply -f https://raw.githubusercontent.com/luckylucky421/kubernetes1.17.3/master/kubernetes-dashboard.yaml

3. Verify installation: kubectl get pods -n kubernetes-dashboard 4. Expose the service as NodePort (edit the Service and change type: ClusterIP to type: NodePort), then access via https://<master_ip>:<nodePort> (e.g., https://192.168.0.6:31775/).

Login methods

Use the default token from the Dashboard namespace secret ( kubernetes-dashboard-token-*) and paste it into the Dashboard login screen.

Create a cluster‑admin token for full‑cluster access:

kubectl create clusterrolebinding dashboard-cluster-admin \
  --clusterrole=cluster-admin \
  --serviceaccount=kubernetes-dashboard:kubernetes-dashboard

Then retrieve the new token from the secret and use it to log in, gaining visibility and control over all namespaces.

Images in the original article illustrate the pod specifications, service definitions, and Dashboard UI screenshots.