aws-samples · vjsikha · Aug 27, 2018 · Aug 27, 2018 · Aug 27, 2018 · Aug 27, 2018
diff --git a/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc b/02-path-working-with-clusters/201-cluster-monitoring/readme.adoc
@@ -20,7 +20,10 @@ Heapster is limited to Kuberenetes container metrics, it is not general use. Hea
 
 In order to perform exercises in this chapter, you’ll need to deploy configurations to a Kubernetes cluster. To create an EKS-based Kubernetes cluster, use the link:../../01-path-basics/102-your-first-cluster#create-a-kubernetes-cluster-with-eks[AWS CLI] (recommended). If you wish to create a Kubernetes cluster without EKS, you can instead use link:../../01-path-basics/102-your-first-cluster#alternative-create-a-kubernetes-cluster-with-kops[kops].
 
-All configuration files for this chapter are in the link:templates[201-cluster-monitoring/templates] directory.
+All configuration files for this chapter are in the link:templates[201-cluster-monitoring/templates] directory.Please be sure to cd into that directory before running the commands below.
+
+    $ cd ~/environment/aws-workshop-for-kubernetes/02-path-working-with-clusters/201-cluster-monitoring/templates
+
 
 == Kubernetes Dashboard
 
@@ -57,66 +60,54 @@ Where `ENVIRONMENT_ID` is your Cloud9 IDE environment id (you should see it once
 
 Starting with Kubernetes 1.7, Dashboard supports authentication. Read more about it at https://github.com/kubernetes/dashboard/wiki/Access-control#introduction. We'll use a bearer token for authentication.
 
-Check existing secrets in the `kube-system` namespace:
-
-    kubectl -n kube-system get secret
-
-It shows the output as:
-
-  NAME                                     TYPE                                  DATA      AGE
-  attachdetach-controller-token-dhkcr      kubernetes.io/service-account-token   3         3h
-  certificate-controller-token-p131b       kubernetes.io/service-account-token   3         3h
-  daemon-set-controller-token-r4mmp        kubernetes.io/service-account-token   3         3h
-  default-token-7vh0x                      kubernetes.io/service-account-token   3         3h
-  deployment-controller-token-jlzkj        kubernetes.io/service-account-token   3         3h
-  disruption-controller-token-qrx2v        kubernetes.io/service-account-token   3         3h
-  dns-controller-token-v49b6               kubernetes.io/service-account-token   3         3h
-  endpoint-controller-token-hgkbm          kubernetes.io/service-account-token   3         3h
-  generic-garbage-collector-token-34fvc    kubernetes.io/service-account-token   3         3h
-  horizontal-pod-autoscaler-token-lhbkf    kubernetes.io/service-account-token   3         3h
-  job-controller-token-c2s8j               kubernetes.io/service-account-token   3         3h
-  kube-dns-autoscaler-token-s3svx          kubernetes.io/service-account-token   3         3h
-  kube-dns-token-92xzb                     kubernetes.io/service-account-token   3         3h
-  kube-proxy-token-0ww14                   kubernetes.io/service-account-token   3         3h
-  kubernetes-dashboard-certs               Opaque                                2         9m
-  kubernetes-dashboard-key-holder          Opaque                                2         9m
-  kubernetes-dashboard-token-vt0fd         kubernetes.io/service-account-token   3         10m
-  namespace-controller-token-423gh         kubernetes.io/service-account-token   3         3h
-  node-controller-token-r6lsr              kubernetes.io/service-account-token   3         3h
-  persistent-volume-binder-token-xv30g     kubernetes.io/service-account-token   3         3h
-  pod-garbage-collector-token-fwmv4        kubernetes.io/service-account-token   3         3h
-  replicaset-controller-token-0cg8r        kubernetes.io/service-account-token   3         3h
-  replication-controller-token-3fwxd       kubernetes.io/service-account-token   3         3h
-  resourcequota-controller-token-6rl9f     kubernetes.io/service-account-token   3         3h
-  route-controller-token-9brzb             kubernetes.io/service-account-token   3         3h
-  service-account-controller-token-bqlsk   kubernetes.io/service-account-token   3         3h
-  service-controller-token-1qlg6           kubernetes.io/service-account-token   3         3h
-  statefulset-controller-token-kmgzg       kubernetes.io/service-account-token   3         3h
-  ttl-controller-token-vbnhf               kubernetes.io/service-account-token   3         3h
-
-We can login using the secret with type 'kubernetes.io/namespace-controller-token'. In our case, we'll use the token from secret `namespace-controller-token-423gh` to login. Use the following command to get the token for this secret:
-
-    kubectl -n kube-system describe secret namespace-controller-token-423gh
-
-Note you'll need to replace `namespace-controller-token-423gh` with the namespace-controller-token from your output list.
-
-It shows the output:
-
-```
-Name:         namespace-controller-token-423gh
-Namespace:    kube-system
-Labels:       <none>
-Annotations:  kubernetes.io/service-account.name=default
-              kubernetes.io/service-account.uid=3a3fea86-b3a1-11e7-9d90-06b1e747c654
-
-Type:  kubernetes.io/service-account-token
-
-Data
-====
-ca.crt:     1046 bytes
-namespace:  11 bytes
-token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTd2aDB4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzYTNmZWE4Ni1iM2ExLTExZTctOWQ5MC0wNmIxZTc0N2M2NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.GHW-7rJcxmvujkClrN6heOi_RYlRivzwb4ScZZgGyaCR9tu2V0Z8PE5UR6E_3Vi9iBCjuO6L6MLP641bKoHB635T0BZymJpSeMPQ7t1F02BsnXAbyDFfal9NUSV7HoPAhlgURZWQrnWojNlVIFLqhAPO-5T493SYT56OwNPBhApWwSBBGdeF8EvAHGtDFBW1EMRWRt25dSffeyaBBes5PoJ4SPq4BprSCLXPdt-StPIB-FyMx1M-zarfqkKf7EJKetL478uWRGyGNNhSfRC-1p6qrRpbgCdf3geCLzDtbDT2SBmLv1KRjwMbW3EF4jlmkM4ZWyacKIUljEnG0oltjA
-```
+By default, the Kubernetes dashboard user has limited permissions. Let's create an eks-admin service account and cluster role binding using the following configuration files. You can use the eks-admin service account to securely connect to the dashboard with admin-level permissions.
+
+  $ cat eks-admin-service-account.yaml
+  apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: eks-admin
+    namespace: kube-system
+
+  $ cat eks-admin-cluster-role-binding.yaml
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRoleBinding
+  metadata:
+    name: eks-admin
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+  subjects:
+  - kind: ServiceAccount
+    name: eks-admin
+    namespace: kube-system
+
+Run the following commands to apply the service account and cluster role binding to your cluster:
+
+  $ kubectl apply -f eks-admin-service-account.yaml
+  serviceaccount "eks-admin" created
+
+  $ kubectl apply -f eks-admin-cluster-role-binding.yaml
+  clusterrolebinding.rbac.authorization.k8s.io "eks-admin" created
+
+Retrieve an authentication token for the eks-admin service account using the following command:
+
+  $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
+
+Output:
+
+  Name:         eks-admin-token-9kxfc
+  Namespace:    kube-system
+  Labels:       <none>
+  Annotations:  kubernetes.io/service-account.name=eks-admin
+                kubernetes.io/service-account.uid=198c691f-a997-11e8-8074-0ab2efd9c23a
+  Type:  kubernetes.io/service-account-token
+  Data
+  ====
+  token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJla3MtYWRtaW4tdG9rZW4tOWt4ZmMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZWtzLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTk4YzY5MWYtYTk5Ny0xMWU4LTgwNzQtMGFiMmVmZDljMjNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmVrcy1hZG1pbiJ9.mKcJ0RFAG8GvZA71ZskAv_xs9pW5Cq64A1S1pVx7-GFZb_Dbhee_nYjLagY3MrbTjsEcTNV1xe_RUevmcQDikS6UMEXoIN-bOHu5Moj5rgNW2yhfHuXZOtRmRfESTBzqCQQi3MPC_LP6jTagPnbBDW15W_3AbTwZRa3Fhs4YCUoxUbcrTYUd6kfB47JbLDwXl-8ai1hxgTreDeFKkQKu7E5WAMv4GeL1TYVgiVrUC2872NzQ-RSLee1WP-x_r50zJA5b9qXQvlkf0zrDRh6xO_Z3YXOH5KfWQUYCUpJqySedZE4w9F6rkBUCf2QivqhvXTQF9btsHIyeqSJ3SR3qHA
+  ca.crt:     1025 bytes
+  namespace:  11 bytes
 
 Copy the value of token from this output, select `Token` in the Dashboard login window, and paste the text. Click on `SIGN IN` to see the default Dashboard view:
 

diff --git a/...orking-with-clusters/201-cluster-monitoring/templates/eks-admin-cluster-role-binding.yaml b/...orking-with-clusters/201-cluster-monitoring/templates/eks-admin-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: eks-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: eks-admin
+  namespace: kube-system
diff --git a/...ath-working-with-clusters/201-cluster-monitoring/templates/eks-admin-service-account.yaml b/...ath-working-with-clusters/201-cluster-monitoring/templates/eks-admin-service-account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eks-admin
+  namespace: kube-system