Changing the cluster administrator access credentials
You can update the cluster administrator username and password.
Required user type or access level: Cluster administrator
Changing the cluster administrator username
-
Log on to the master node of your IBM® Cloud Private cluster.
-
Use the IBM Cloud Private CLI (cloudctl) to change your username and to restart deployments. For example:
cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_username=<username>
For more information, see IBM Cloud Private CLI pm commands (pm).
-
Install kubectl. For more information, see Installing the Kubernetes CLI (kubectl).
-
Update the
clusterrolebinding
role-based access control (RBAC) object with the new username.kubectl edit clusterrolebinding oidc-admin-binding
Following is a sample
clusterrolebinding
RBAC object:Please edit the following object. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: 2019-02-04T18:44:34Z name: oidc-admin-binding resourceVersion: "3162" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/oidc-admin-binding uid: eab9c9c9-28ac-11e9-aca2-0050569a1e29 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: https://mycluster.icp:8443/oidc/endpoint/OP#admin <=========== - apiGroup: rbac.authorization.k8s.io kind: User name: admin <===========
-
Replace the admin name in
https://mycluster.icp:8443/oidc/endpoint/OP#admin
with the new name: changeOP#admin
toOP#<new admin user name>
. -
Replace the admin name in
name: admin
with the new name: changename: admin
toname: <new admin user name>
. -
Save the file.
-
Log in to the boot node.
-
Install
cloudctl
on the boot node. For more information, see Installing cloudctl. -
Run the
cloudctl login
command. This step generates new Helm certificates. The certificates are usually saved in the/root
folder. -
Back up the Helm certificates that are in the
<installation-directory>/cluster/cfc-certs/helm/
folder.mv <installation-directory>/cluster/cfc-certs/helm/admin.crt <installation-directory>/cluster/cfc-certs/helm/admin.crt.backup mv <installation-directory>/cluster/cfc-certs/helm/admin.key <installation-directory>/cluster/cfc-certs/helm/admin.key.backup
-
Copy the new Helm certificates to the
<installation-directory>/cluster/cfc-certs/helm/
folder. The<helm-home>
is where the new certificates are located.cp <helm-home>/cert.pem <installation-directory>/cluster/cfc-certs/helm/admin.crt cp <helm-home>/key.pem <installation-directory>/cluster/cfc-certs/helm/admin.key
-
Complete the steps in the Updating the config.json file on each master node section.
Changing the cluster administrator password
-
Log on to the master node of your IBM Cloud Private cluster.
-
Use the IBM Cloud Private CLI (cloudctl) to, change your password and restart deployments. The secret name is
platform-auth-idp-credentials
and the namespace iskube-system
. The new password must meet either the default password enforcement rule or the rules that are specified for thepassword_rules
parameters in theconfig.yaml
file. For example:cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password=<password>
For more information, see Customizing the cluster with the config.yaml file and Installing the IBM Cloud Private CLI.
-
Update the
default_admin_password
in theconfig.yaml
file.- Open the
/<installation_directory>/cluster/config.yaml
file. - Update the
default_admin_password
. - Save and exit the file.
- Open the
-
Optional: You can update the password rules by running the following command:
cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>
-
Complete the steps in the Updating the config.json file on each master node section.
Updating the config.json file on each master node
After you change the cluster administrator username or password, you must complete the following steps on each master node:
-
Update the
auth
credentials in the/root/.docker/config.json
file.-
Encode the new username or password in base64. You must use the -n option to ensure that trailing new line characters (\n) are not appended to the string.
echo -n "MyNewUsernameOrPassword" | base64
When you update the password, the output resembles the following code:
TXlOZXdQYXNzMHdyZA==
When you update the username, the output resembles the following code:
YWRtaW4xMjM0
-
Open the
config.json
file for editing.vi /root/.docker/config.json
The file content resembles the following code:
{ "auths": { "hyc-cloud-private-edge-docker-local.artifactory.swg-devops.com": { "auth": "dG5lbWl2YW5AaW4uaWJtLmNvbTpBS0NwNWJ1VTJTOEw4UmhTeU1qTTQ2MjNLZjdTSG1RNDVoWVNneUVDaGpCRVRTNkJGR3Z1SGZ2bjZkVWhONkJHb1puVkxwc3RQ" } } }
-
Replace the old username or password with the new base64-encoded username or password.
-
Save the file.
-
-
Stop and start the
kubelet
anddocker
services.systemctl stop kubelet systemctl stop docker systemctl start docker systemctl start kubelet
-
Ensure that all pods in the
kube-system
namespace are running. It might take up to 5 minutes for all pods to restart.kubectl get pods -n kube-system | grep -v Running
Only after all the
kube-system
pods are running on this master node, proceed with updating theconfig.json
file on another master node. It is important that at any point in time, there are at least two healthy master nodes available in the cluster.