CODEWITHSUNDEEP
kuberneteskubectl
Kavishka
Kavishka

Reputation: 515

Service account secret is not listed. How to fix it?

I have used kubectl create serviceaccount sa1 to create service account. Then I used kubectl get serviceaccount sa1 -oyaml command to get service account info. But it returns as below.

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-05-16T08:03:50Z"
  name: sa1
  namespace: default
  resourceVersion: "19651"
  uid: fdddacba-be9d-4e77-a849-95ca243781cc

I need to get,

secrets:
- name: <secret>

part. but it doesn't return secrets. How to fix it?

Upvotes: 45

Views: 55504

Answers (3)

Glin Zachariah
Glin Zachariah

Reputation: 301

I too struggled for a while with this, but ultimately I was able to get a temporary token of login using the

kubectl create token [serviceaccount-name].

Still a newbie in this!!

Upvotes: 13

prashanth_apolloyon
prashanth_apolloyon

Reputation: 9

If any of the above solutions didn't worked, try this.

Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file,

Open AKS in azure portal

Open cloud shell or the Azure CLI

Run the following commands

az account set --subscription {subscription ID}

az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin

you will get a path to the kubeconfig file

cat /home/****/.kube/config

copy everything and paste in azure devops kubernetes service connection. Click on Accept untrusted certificates and Grant access permission to all pipelines. Give a service connection name and click verify.

Upvotes: -1

David Maze
David Maze

Reputation: 158647

In Kubernetes 1.24, ServiceAccount token secrets are no longer automatically generated. See "Urgent Upgrade Notes" in the 1.24 changelog file:

The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang)

This means, in Kubernetes 1.24, you need to manually create the Secret; the token key in the data field will be automatically set for you.

apiVersion: v1
kind: Secret
metadata:
  name: sa1-token
  annotations:
    kubernetes.io/service-account.name: sa1
type: kubernetes.io/service-account-token

Since you're manually creating the Secret, you know its name: and don't need to look it up in the ServiceAccount object.

This approach should work fine in earlier versions of Kubernetes too.

Upvotes: 104

Related Questions