Service accounts in kubernetes 1.24
Kubernetes is under active development and breaking changes are mostly expected during version upgrades. In 1.24 one change that might be important for you is that serviceaccounts don't generate tokens as secrets by default anymore. This only affects the environment, within the pods everything stays as before.
Create a token using kubectl
In case you want to create a token manually, this can be done using kubectl create token
. Super fast & easy.
# create serviceaccount
kubectl -n temp create sa test-sa
serviceaccount/test-sa created
# create token
# duration is an optional parameter
kubectl -n temp create token test-sa --duration=1440m
eyJhbGciOiJSUzI1N[...]fs4b6Jxw
You can use this token wherever you need.
If you're interested, you can decode the token (JSON Web Tokens - jwt.io):
{
"aud": [
"https://kubernetes.default.svc.cluster.local"
],
"exp": 1659714374,
"iat": 1659627974,
"iss": "https://kubernetes.default.svc.cluster.local",
"kubernetes.io": {
"namespace": "temp",
"serviceaccount": {
"name": "test-sa",
"uid": "53399ddd-949d-40d8-a9c5-3406dface09e"
}
},
"nbf": 1659627974,
"sub": "system:serviceaccount:temp:test-sa"
}
Create the secret manually
In most cases you won't create service accounts by hand but rather using some deployment like helm. To achieve this with a custom secret, you can create a secret of type kubernetes.io/service-account-token.
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
namespace: temp
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: test-sa-token
namespace: temp
annotations:
kubernetes.io/service-account.name: "test-ca"
The annotation will link the token to the serviceaccount.
That's it - quite easy, you just need to know it :-)