Reputation: 65
How to mount manually created non-expiring service account token into the pod
Let's say that the token for the service accout is manually created using
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
How do I mount the service account token thus created into the pod? I was under the assumption that the pod created should have this service account token mounted into /var/run/secrets/kubernetes.io/serviceaccount when serviceAccountName: build-robot is part of the manifests and shouldn't have an expiry but then when the token is inspected, there is an expiry associated with it.
Upvotes: 0
Views: 673
Answers (1)
Reputation: 473
Kubernetes uses TokenRequest API to generate tokens automatically bound to SA: https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/
The official Kubernetes documentation also says:
You can still manually create a service account token Secret; for example, if you need a token that never expires.
It means the only way to create a non-expired token is to manually create a service account's token Secret. By default, created secrets (any kind) don't have expiration details.
With TokenRequest, it was also achievable via the kubectl create token my_token --duration=0s flag, but it has been removed since 1.24.
Upvotes: 1