Search code examples
kuberneteskubernetes-secretsk8s-serviceaccount

Why new created ServiceAccount has 0 secrets

I have Kubernetes version 1.24.3, and I created a new service account named "deployer", but when I checked it, it shows it doesn't have any secrets.

This is how I created the service account:

kubectl apply -f - << EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: deployer
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deployer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources:
  - deployments
  verbs: ["list", "get", "describe", "apply", "delete", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: deployer-crb
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: deployer-role
subjects:
- kind: ServiceAccount
  name: deployer
  namespace: default
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: token-secret
  annotations:
    kubernetes.io/service-account.name: deployer
EOF

When I checked it, it shows that it doesn't have secrets:

cyber@manager1:~$ kubectl get sa deployer
NAME       SECRETS   AGE
deployer   0         4m32s

cyber@manager1:~$ kubectl get sa deployer -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"deployer","namespace":"default"}}
  creationTimestamp: "2022-10-13T08:36:54Z"
  name: deployer
  namespace: default
  resourceVersion: "2129964"
  uid: cd2bf19f-92b2-4830-8b5a-879914a18af5

And this is the secret that should be associated to the above service account:

cyber@manager1:~$ kubectl get secrets token-secret -o yaml
apiVersion: v1
data:
  ca.crt: <REDACTED>
  namespace: ZGVmYXVsdA==
  token: <REDACTED>
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"deployer"},"name":"token-secret","namespace":"default"},"type":"kubernetes.io/service-account-token"}
    kubernetes.io/service-account.name: deployer
    kubernetes.io/service-account.uid: cd2bf19f-92b2-4830-8b5a-879914a18af5
  creationTimestamp: "2022-10-13T08:36:54Z"
  name: token-secret
  namespace: default
  resourceVersion: "2129968"
  uid: d960c933-5e7b-4750-865d-e843f52f1b48
type: kubernetes.io/service-account-token

What can be the reason?

Update: The answer help, but for the protocol, it doesn't matter, the token works even it shows 0 secrets:

kubectl get pods --token `cat ./token` -s https://192.168.49.2:8443 --certificate-authority /home/cyber/.minikube/ca.crt --all-namespaces

Other Details:
I am working on Kubernetes version 1.24:

cyber@manager1:~$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.0", GitCommit:"a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2", GitTreeState:"clean", BuildDate:"2022-08-23T17:44:59Z", GoVersion:"go1.19", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:23:26Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}

You can delete it by running:

kubectl delete clusterroles deployer-role
kubectl delete clusterrolebindings deployer-crb 
kubectl delete sa deployer  
kubectl delete secrets token-secret

Reference to Kubernetes 1.24 changes:

Solution

  • Base on the change log, the auto-generation of tokens is no longer available for every service account.

    The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide.

    token-request-v1

    stops auto-generation of legacy tokens because they are less secure

    work-around

    or you can use

    kubectl create token SERVICE_ACCOUNT_NAME
kubectl create token deployer

    Request a service account token.