Account Administration

This section highlights MetalK8s Account Administration which covers changing the default username and password for some MetalK8s services.

Administering Grafana

A fresh install of MetalK8s has a Grafana service instance with default credentials: admin / admin. For more information on how to access Grafana, please refer to this procedure

Changing Grafana username and password

To change the default username and password for Grafana on a MetalK8s cluster, perform the following procedures:

  1. Create a file named patch-secret.yaml that has the following content:

    stringData:
      admin-user: <username-in-clear>
      admin-password: <password-in-clear>
    
  2. Apply the patch file by running:

    $ kubectl --kubeconfig /etc/kubernetes/admin.conf patch secrets prometheus-operator-grafana --patch "$(cat patch-secret.yaml)" -n metalk8s-monitoring
    
  3. Now, roll out the new updates for Grafana:

    $ kubectl --kubeconfig /etc/kubernetes/admin.conf rollout restart deploy prometheus-operator-grafana -n metalk8s-monitoring
    
  4. Access the Grafana instance and authenticate yourself using the new Account credentials.

Warning

During an upgrade or downgrade of a MetalK8s cluster, customized Grafana username and password will be overwritten with default credentials admin / admin.

Administering MetalK8s GUI, Kubernetes API and Salt API

During installation, MetalK8s configures the Kubernetes API to accept Basic authentication, with default credentials admin / admin.

Services exposed by MetalK8s, such as its GUI or Salt API, rely on the Kubernetes API for authenticating their users. As such, changing the credentials of a Kubernetes API user will also change the credentials required to connect to either one of these services.

Managing Kubernetes API username and password

Warning

The procedures mentioned below must be carried out on every control-plane Node, or more specifically, any Node bearing the node-role.kubernetes.io/master label.

  1. Edit the credentials file located at /etc/kubernetes/htpasswd, replacing the username and/or password fields as below:

    <password-in-clear>,<username-in-clear>,123,"system:masters"
    
  2. Force a restart of the Kubernetes API server:

    $ crictl stop \
        $(crictl ps -q --label io.kubernetes.pod.namespace=kube-system \
                       --label io.kubernetes.container.name=kube-apiserver \
                       --state Running)
    
  3. Access a service (for example, MetalK8s GUI) and authenticate yourself using the new Account credentials.

    Note

    Upon changing the username and/or password, a fresh logout then login is required for accessing the MetalK8s GUI.