Reputation: 119
Why don't I have a default serviceAccount on kubernetes?
I'm trying to get Kubernetes running on some local machines running CoreOS. I'm loosely following this guide. Everything seems to be up and running, and I'm able to connect to the api via kubectl. However, when I try to create a pod, I get this error:
Pod "redis-master" is forbidden: Missing service account default/default: <nil>
Doing kubectl get serviceAccounts confirms that I don't have any ServiceAccounts:
NAME SECRETS
According to the documentation, each namespace should have a default ServiceAccount. Running kubectl get namespace confirms that I have the default namespace:
NAME LABELS STATUS
default <none> Active
I'm brand new to Kubernetes and CoreOS, so I'm sure there's something I'm overlooking, but I can't for the life of me figure out what's going on. I'd appreciate any pointers.
UPDATE
It appears the kube-controller-manager isn't running. When I try to run it, I get this message:
I1104 21:09:49.262780 26292 plugins.go:69] No cloud provider specified.
I1104 21:09:49.262935 26292 nodecontroller.go:114] Sending events to api server.
E1104 21:09:49.263089 26292 controllermanager.go:217] Failed to start service controller: ServiceController should not be run without a cloudprovider.
W1104 21:09:49.629084 26292 request.go:302] field selector: v1 - secrets - type - kubernetes.io/service-account-token: need to check if this is versioned correctly.
W1104 21:09:49.629322 26292 request.go:302] field selector: v1 - serviceAccounts - metadata.name - default: need to check if this is versioned correctly.
W1104 21:09:49.636082 26292 request.go:302] field selector: v1 - serviceAccounts - metadata.name - default: need to check if this is versioned correctly.
W1104 21:09:49.638712 26292 request.go:302] field selector: v1 - secrets - type - kubernetes.io/service-account-token: need to check if this is versioned correctly.
Since I'm running this locally, I don't have a cloud provider. I tried to define --cloud-provider="" but it still complains with the same error.
Upvotes: 2
Views: 8448
Answers (2)
Reputation: 8228
The default service account for each namespace is created by the service account controller, which is a loop that is part of the kube-controller-manager binary. So, verify that binary is running, and check its logs for anything that suggests it can't create a service account, make sure you set the "--service-account-private-key-file=somefile" to a file that has a valid PEM key.
Alternatively, if you want to make some progress without service accounts, and come back to that later, you can disable the admission controller that is blocking your pods by removing the "ServiceAccount" option from your api-server's --admission-controllers flag. But you will probably want to come back and fix that later.
Upvotes: 3
Related Questions
- Kubernetes log, User "system:serviceaccount:default:default" cannot get services in the namespace
- Cannot create service account in Kubernetes v1.25.5
- How to configure a non-default serviceAccount on a deployment
- Default ServiceAccount k8s
- Why new created ServiceAccount has 0 secrets
- Why `ServiceAccount` exists, but there is no such entity for the regular human user?
- set `serviceAccountName` to `default` in case it does not exist
- Kubernetes system:serviceaccount can't access service
- How to avoid default secret being attached to ServiceAccount?
- k8 default service account token not found