Posts Tags Categories About

Contents

Reset the OpenShift kubeadmin password

 included in Openshift
   348 words   2 minutes 

Reset the kubeadmin bootstrap password when the original credential is lost and no other cluster-admin identity provider is available.

Prerequisites

  • SSH access to a control plane node (as core, with sudo if required).
  • oc available on the node or copied in with the recovery kubeconfig.
  • htpasswd available to generate the bcrypt hash (install httpd-tools on RHEL, or run from a toolbox/UBI container).
  • A new password of at least 23 characters (required by the bootstrap authenticator).
Warning
This procedure patches the kubeadmin secret in kube-system. Use only for cluster recovery. After restoring access, define an identity provider and create a dedicated cluster-admin user, then remove kubeadmin per Red Hat documentation.

1. SSH to a control plane node

Connect to any healthy control plane node in the cluster.

ssh core@<control-plane-node>

2. Use the recovery kubeconfig

The API server exposes a localhost-only admin kubeconfig on each control plane node. Point KUBECONFIG at that file.

cd /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs
export KUBECONFIG=localhost-recovery.kubeconfig

Confirm API access:

oc whoami

Expected output:

system:admin

Inspect the current kubeadmin secret:

oc get secret -n kube-system kubeadmin -o yaml

The data.kubeadmin field holds a base64-encoded bcrypt hash of the current password.

3. Generate a new password hash

Choose a new password (minimum 23 characters) and produce the bcrypt hash, then base64-encode it for the secret patch.

NEW_PASS='aaaaa-bbbbb-ccccc-ddddd'
HASH_B64=$(htpasswd -bnBC 10 "" "${NEW_PASS}" | cut -c 2- | base64 -w0)
echo "${HASH_B64}"

The htpasswd output starts with : because no username is set; cut -c 2- strips that prefix before encoding.

4. Patch the kubeadmin secret

Update the kubeadmin secret with the new hash.

oc patch -n kube-system secret/kubeadmin \
  --patch "{\"data\": {\"kubeadmin\": \"${HASH_B64}\"}}"

Expected output:

secret/kubeadmin patched

5. Log in with the new password

From any host with network access to the API, authenticate as kubeadmin using the new password.

oc login https://api.<cluster>.<domain>:6443 -u kubeadmin -p "${NEW_PASS}"

Verify / Validate

Confirm the session and cluster-admin privileges:

oc whoami
oc auth can-i '*' '*' --all-namespaces

Expected output:

kubeadmin
yes

Verify the secret contains the new hash:

oc get secret -n kube-system kubeadmin -o jsonpath='{.data.kubeadmin}{"\n"}'

The value must match ${HASH_B64} from step 3.

Updated on 2026-06-12
Read Markdown
 OpenshiftSecurityCluster-Ops
Back | Home