How does kubectl create token work?

k0dard

Assuming I have service account myserviceaccount, I can request a service account token with kubectl token create

However, this token doesn't appear as a secret when I kubectl get sa (SECRET column is still 0, as before token creation) or when I kubectl get secrets

So where is the token stored after creation? Or it's something like JWT authentication mechanisms, where token is signed from the server but doesn't necessarily exist on the server anymore? How does it work?

Also, in help section of kubectl create token it is mentioned that we can bound created token to a Secret or a Pod with --bound-object-kind and --bound-object-name but I cannot see the effect of this flag. What does it do?

headkaze

From Generating temporary identities for Service Accounts

Now that you know how tokens are mounted, you might wonder why Kubernetes decided to move on from creating tokens in Secrets.

There are a few reasons, but it boils down to:

• Tokens created with a Secret don't expire. Ever.
• When you created a Service Account, the Secret with the token was created asynchronously. This introduced a few race conditions when writing scripts that would create a Service Account and retrieve the token from the Secret.

But what if you need a token but don't need a pod?

Is there a way to obtain the token without mounting the projected volume?

Kubectl has a new command to do just that:

$ kubectl create token test
eyJhbGciOiJSUzI1NiIsImtpZCI6ImctMHJNO…

That token is temporary, just like the one mounted by the kubelet.

You will see a different output if you execute the same command again.

Is the token just a long string?