kops
kubernetes
admin password
security
configuration

Changing the auto-generated kops kubernetes admin password

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

When people ask how to change the auto-generated admin password in a kops cluster, the first thing to verify is whether there is actually a password to change. In modern kops setups, admin access is usually certificate-based through kubeconfig, not a long-lived username and password. The right fix is often credential rotation, not password editing.

Understand What kops Actually Generates

A kops cluster stores state in a bucket and generates Kubernetes control-plane configuration from that state. Admin access usually comes from a client certificate written into your local kubeconfig when you run kops export kubeconfig.

Start by checking which cluster you are talking to and whether the exported admin credential is temporary:

bash
1export KOPS_STATE_STORE=s3://my-kops-state
2kops get cluster
3kops export kubeconfig --name=mycluster.example.com --admin=18h
4kubectl config current-context
5kubectl auth whoami

If this works, you are probably not using a password at all. You are using a short-lived admin certificate. In that case, the secure replacement for an old auto-generated credential is to re-export a new admin certificate with a short lifetime and remove any legacy basic-auth configuration.

Prefer Rotating Credentials Over Editing Passwords

For current clusters, a practical admin rotation workflow looks like this:

bash
1export KOPS_STATE_STORE=s3://my-kops-state
2CLUSTER_NAME=mycluster.example.com
3
4kops export kubeconfig --name="$CLUSTER_NAME" --admin=12h
5kubectl get nodes

That command does not change the cluster. It issues a new local admin credential with a defined expiration. If an old administrator left behind a copied kubeconfig, you should also rotate the cluster certificates so previously issued credentials expire or become irrelevant on a known schedule.

A common operational pattern is:

  1. issue short-lived admin credentials only when needed
  2. use RBAC-bound service or user identities for routine work
  3. rotate cluster certificates during maintenance windows

kops includes a rolling approach for control-plane changes:

bash
kops update cluster --name="$CLUSTER_NAME" --yes
kops rolling-update cluster --name="$CLUSTER_NAME" --yes
kops validate cluster --wait=10m

Use that after changing security-related cluster settings in the kops spec.

If You Are Still Using Legacy Basic Auth

Older Kubernetes deployments sometimes enabled basic auth on the API server. If your cluster still has that pattern, the better answer is usually to disable it rather than invent a new permanent admin password.

Edit the cluster spec:

bash
kops edit cluster mycluster.example.com

You may see old API server settings that indicate legacy auth. After removing them, apply and roll the cluster:

bash
kops update cluster --name=mycluster.example.com --yes
kops rolling-update cluster --name=mycluster.example.com --yes

Then export a fresh admin kubeconfig:

bash
kops export kubeconfig --name=mycluster.example.com --admin=8h

The main idea is simple: do not preserve an old insecure authentication model just because it once worked.

Use RBAC for Real Human Access

Cluster-admin access should be rare. For day-to-day work, create narrower roles and bindings so developers do not need a shared admin credential.

For example, create a read-only cluster role binding for an existing identity:

yaml
1apiVersion: rbac.authorization.k8s.io/v1
2kind: ClusterRoleBinding
3metadata:
4  name: read-only-viewer
5subjects:
6  - kind: User
7    name: [email protected]
8    apiGroup: rbac.authorization.k8s.io
9roleRef:
10  kind: ClusterRole
11  name: view
12  apiGroup: rbac.authorization.k8s.io

Apply it with:

bash
kubectl apply -f read-only-viewer.yaml

This reduces the pressure to maintain a shared admin secret at all.

Verify What Credential kubectl Is Using

Before rotating anything, inspect the current kubeconfig entry. That prevents you from changing the wrong thing.

bash
kubectl config view --minify
kubectl config view --raw --minify

If you see client-certificate-data and client-key-data, you are using certificate auth. If you instead see a username and password entry, you are dealing with an older setup and should plan a migration away from it.

You should also check whether automation depends on the current credential. CI systems, GitOps controllers, and backup jobs often use separate service accounts and are unaffected by an admin kubeconfig rotation.

A Safer Long-Term Pattern

For production clusters, the safest pattern is:

  • no shared permanent admin password
  • short-lived admin certificates for break-glass access
  • RBAC-limited identities for routine tasks
  • external identity integration when possible

That approach aligns better with how Kubernetes is designed to be operated.

Common Pitfalls

Shared assumption that kops uses a normal admin password. Many clusters do not. Inspect kubeconfig first.

Rotating only the local machine credential. That changes your access, not cluster-wide policy.

Leaving legacy basic auth enabled. Even if you can change the password, that is weaker than disabling the mechanism.

Using cluster-admin for every operator. Prefer RBAC roles with narrower scope.

Skipping validation after a control-plane change. Always run kops validate cluster after updates.

Summary

  • In modern kops clusters, admin access is usually certificate-based, not password-based.
  • 'kops export kubeconfig --admin=... is often the right way to refresh admin access.'
  • If legacy basic auth exists, the better fix is usually to remove it.
  • Use RBAC roles for normal work instead of shared admin credentials.
  • Validate cluster health after security-related changes and rolling updates.

Course illustration
Course illustration

All Rights Reserved.