How to disable creation of token secret creation while creating a service account in kubernetes?

Question

When I create a service account in Kubernetes with the following specification

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: deploy-bot

It automatically creates the following secret with prefix deploy-bot-token-XXXX

$ kubectl get secret

NAME                                                      TYPE                                  DATA   AGE
default-token-lvq79                                       kubernetes.io/service-account-token   3      60m
deploy-bot-token-7gmnh                                    kubernetes.io/service-account-token   3      4m53s

Is there a way via which we can disable the automatic creation of secret tokens while creating service accounts?

Answer 1

The default behavior you describe changes in Kubernetes 1.24, when the LegacyServiceAccountTokenNoAutoGeneration feature gate is enabled and new secrets containing service account tokens are no longer auto-generated.

From https://stackoverflow.com/a/72597897/901597

Answer 2

You can achieve it by modifying kube-controller-manager options.

The flag to be passed to the controller is --controllers=-serviceaccount-token. It will disable creating token for service accounts.

spec:
  containers:
  - command:
    - kube-controller-manager
    - --controllers=-serviceaccount-token
 [...]

After this modification when you deploy your service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: deploy-bot

$ kubectl get sa
NAME         SECRETS   AGE
default      1         14m
deploy-bot   0         3s

and check the secrets created, you will notice that the secret has not been created:

$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-t4qnv   kubernetes.io/service-account-token   3      14m