Reputation: 109
A mountable secret and token are not automatically generated in serviceaccount
I downloaded Kubernetes for integration with Jenkins and created a Serviceaccount, but the secret is not automatically created.
In the past, I remember that a Secret was automatically created and the Token was mounted when Serviceaccount was created.
How can I automatically create a Secret as before?
Upvotes: 4
Views: 8099
Answers (4)
Reputation: 11
The answers above do not completely restore the pre 1.24 behaviour, however I have found that the below does restore it.
apiVersion: v1
kind: Secret
metadata:
name: jenkins-user-secret
annotations:
kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
automountServiceAccountToken: true
secrets:
- name: jenkins-user-secret
This resolves the error I was previously seeing when running
istioctl x create-remote-secret
Which was throwing the error
Error: could not get access token to read resources from local kube-apiserver: no secret found in the service account:
The part missing in the answers above is configuring the service account to allow the secret to be used by pods by setting the "secrets" list.
Upvotes: 1
Reputation: 676
You can put the below two manifests into YAML files and and apply them or you can do it from the command line like this:
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-user
EOF
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: jenkins-user-secret
annotations:
kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
EOF
Here we have a secret which holds a certificate and a token:
$ kubectl get secret
NAME TYPE DATA AGE
jenkins-user-secret kubernetes.io/service-account-token 3 4s
Upvotes: 6
Reputation: 2533
As mentioned by @P.... In kubernetes version 1.24 this behaviour has been changed, the LegacyServiceAccountTokenNoAutoGeneration feature gate is enabled by default in 1.24.
New secrets containing service account tokens are no longer auto-generated and are not automatically ambient in secrets in 1.24+. Existing secrets containing service account tokens are still usable.
API clients scraping token content from auto-generated Secret API objects must start using the TokenRequest API to obtain a token (preferred, available in all supported versions), or you can explicitly request a secret-based token if a secret-based token is desired/needed.
Refer manually create a service account API token to explicitly request a secret-based token.
Upvotes: 6
Reputation: 178
You can enabled it using the option automountServiceAccountToken: true
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
automountServiceAccountToken: true
else remove the option automountServiceAccountToken , by default it will create secret
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
Upvotes: -3
Related Questions
- Why the pods in Kubernetes are automounting the service accounts secret?
- How to disable creation of token secret creation while creating a service account in kubernetes?
- Why new created ServiceAccount has 0 secrets
- Kubernetes service account tokens
- Kubernetes kubeconfig with service account token
- ServiceAccount secrets are mounted with restrictive permissions in OpenTelekomCloud's ClusterContainerEngine
- How to avoid default secret being attached to ServiceAccount?
- k8 default service account token not found
- cannot generate a service account token in kubernetes v1
- generated serviceaccount token is rejected by kube-apiserver