Reputation: 6009
Create secret for my service account but the created service account always show me 0 secret associated with it
My NodeJS microservice is deployed to k8s cluster.
I am running this with my local Docker Desktop k8s environment.
I would like this microservice to access the k8s API server. For that, I guess I need to create a ServiceAccount for it. So I did this:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app-service-account
namespace: myapp-ns
Then, I also created a ClusterRole to define the permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-cluster-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
Finally, I created a ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-app-role-binding
namespace: myapp-ns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myapp-cluster-role
subjects:
- kind: ServiceAccount
name: my-app-service-account
namespace: myapp-ns
I applied them to my cluster. Then, I noticed the created Service Account doesn't have a secret provisioned:
> k get sa -n myapp-ns
NAME SECRETS AGE
default 0 11h
my-app-service-account 0 1h
So, I created a secret for my service account by applying the following manifest:
apiVersion: v1
kind: Secret
metadata:
name: my-sa-token
namespace: myapp-ns
annotations:
kubernetes.io/service-account.name: "my-app-service-account"
type: kubernetes.io/service-account-token
I can see that this secret is created successfully:
> k get secret -n myapp-ns
NAME TYPE DATA AGE
my-sa-token kubernetes.io/dockerconfigjson 1 10s
Then, I check my previously created service account:
> k get sa -n myapp-ns
NAME SECRETS AGE
default 0 11h
my-app-service-account 0 1h
It still shows 0 secret associated with it.
Why is that? How can I have my service account to have a secret associated?
Upvotes: 0
Views: 749
Answers (1)
Reputation: 31080
I think you misunderstand the semantics of the secrets field of the ServiceAccount. From the Kubernetes API reference:
Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret
In other words, secrets is a list you specify that limits which secrets a given service account should be able to use.
Furthermore, I think something went wrong during the creation of your secret because your question shows it has type kubernetes.io/dockerconfigjson. When I kubectl apply the file containing the secret definition I get something very different:
NAME TYPE DATA AGE
my-sa-token kubernetes.io/service-account-token 3 4m13s
Inspecting the secret as YAML shows that Kubernetes has added a token, namespace and ca.crt field, as expected.
Furthermore, kubectl describe links the ServiceAccount and the Secret:
Name: my-app-service-account
Namespace: myapp-ns
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: my-sa-token
Events: <none>
Upvotes: 0
Related Questions
- Accessing k8s cluster with service account token
- Allow K8s serviceAccount to read clusterroles, problem when trying to deploy ingress-nginx helm chart with jenkins
- Cannot list or delete ClusterRole or ClusterRoleBinding with a Kubernetes ServiceAccount
- Kubernetes Service Account for Jobs
- Service account role bindings not working for API access
- Error while accessing Web UI Dashboard using RBAC