Kubernetes Dashboard Token Expiration

Deniz G
2 min readMay 2, 2023

We use Kubernetes for cluster orchestration. We have 3 options to manage Kubernetes resources; CLI, Dashboard and ArgoCD. The DevOps team mostly uses CLI and Dashboard, the Development teams use ArgoCD.

When we login to Dashboard, we need to provide token. This token is JWT. After using dashboard for a while, it automatically logs out, and it is neccessary to login again using same JWT.

I was wondering how we can login using the same JWT all the time. Because, JWTs have an expiration time. After this expired, the system is logged out. But how is it possible to login again using the same JWT? This article is related to this question.

The answer is that, there are 3 different JWT: ServiceAccount Token, Dashboard Token and Dashboard Refresh Token. The ServiceAccount Token is only used to login Dashboard. After authentication, Dashboard uses Dashboard Token and Refresh Token.

1. ServiceAccount Token has no expiration.

We use this token to login Dashboard. When decode JWT, we see that there is no expiration key.

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXY1N253Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMzAzMjQzYy00MDQwLTRhNTgtOGE0Ny04NDllZTliYTc5YzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.Z2JrQlitASVwWbc-s6deLRFVk5DWD3P_vjUFXsqVSY10pbjFLG4njoZwh8p3tLxnX_VBsr7_6bwxhWSYChp9hwxznemD5x5HLtjb16kI9Z7yFWLtohzkTwuFbqmQaMoget_nYcQBUC5fDmBHRfFvNKePh_vSSb2h_aYXa8GV5AcfPQpY7r461itme1EXHQJqv-SN-zUnguDguCTjD80pFZ_CmnSE1z9QdMHPB8hoB4V68gtswR1VLa6mSYdgPwCHauuOobojALSaMc3RH7MmFUumAgguhqAkX3Omqd3rJbYOMRuMjhANqd08piDC3aIabINX6gP5-Tuuw2svnV6NYQ
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "kube-system",
"kubernetes.io/serviceaccount/secret.name": "admin-user-token-k6glx",
"kubernetes.io/serviceaccount/service-account.name": "admin-user",
"kubernetes.io/serviceaccount/service-account.uid": "20875ce7-c386-44e5-8b40-3f233da53661",
"sub": "system:serviceaccount:kube-system:admin-user"
}

So, you can use this JWT infinitely.

2. Dashboard Tokens have expiration.

When we login to Dashboard using ServiceAccount token, it returns to JWT (JWE type), and all requests from Dashboard use this JWT.

Request
https://kube-dashboard-address/api/v1/login

Request Payload (Service-Account JWT)
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXY1N253Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMzAzMjQzYy00MDQwLTRhNTgtOGE0Ny04NDllZTliYTc5YzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.Z2JrQlitASVwWbc-s6deLRFVk5DWD3P_vjUFXsqVSY10pbjFLG4njoZwh8p3tLxnX_VBsr7_6bwxhWSYChp9hwxznemD5x5HLtjb16kI9Z7yFWLtohzkTwuFbqmQaMoget_nYcQBUC5fDmBHRfFvNKePh_vSSb2h_aYXa8GV5AcfPQpY7r461itme1EXHQJqv-SN-zUnguDguCTjD80pFZ_CmnSE1z9QdMHPB8hoB4V68gtswR1VLa6mSYdgPwCHauuOobojALSaMc3RH7MmFUumAgguhqAkX3Omqd3rJbYOMRuMjhANqd08piDC3aIabINX6gP5-Tuuw2svnV6NYQ
Response
{
"jweToken": "{\"protected\":\"eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0\",\"aad\":\"eyJleHAiOiIyMDIzLTA1LTAyVDEzOjIyOjEyWiIsImlhdCI6IjIwMjMtMDUtMDJUMTM6MDc6MTJaIn0\",\"encrypted_key\":\"...\",\"iv\":\"...\",\"ciphertext\":\"...\",\"tag\":\"...\"}",
"errors": []
}

This Dashboard JWT has 900 seconds (15 min) expiration. This aad section specifies iat (issued at) and exp (expired at) information.

{
"exp": "2023-05-02T13:22:12Z",
"iat": "2023-05-02T13:07:12Z"
}

This TTL can be configured by — token-ttl parameter at Dashboard deployment. https://github.com/kubernetes/dashboard/blob/master/docs/common/dashboard-arguments.md

Before every request made from the dashboard, the refresh token request is automatically sent and the refresh token is received. Even if there is a valid refresh token, its duration is updated by getting a new one. The duration of these tokens is also 15 minutes.

Request
https://kube-dashboard-address/api/v1/token/refresh

Request Payload (Dashboard Token)
{
"protected": "eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0",
"aad": "eyJleHAiOiIyMDIzLTA1LTAyVDEzOjIyOjEyWiIsImlhdCI6IjIwMjMtMDUtMDJUMTM6MDc6MTJaIn0",
"encrypted_key": "...",
"iv": "...",
"ciphertext": "... ",
"tag": "..."
}
Response
Dashboard Refresh Token

When Dashboard Token expires, and Refresh Token is still valid, then Dashboard Token will be renewed. In this way, the Dashboard can be logged once and used forever. But if you don’t make any action in 15 minutes at Dashboard, then you will be logged out automatically.

--

--