Welcome to the Linux Foundation Forum!

Lab 6.6.13

yiwen.89
yiwen.89 Posts: 4
in LFD259 Class Forum

I created the service account, but there is no token auto-created for it.
Name: security-account
Namespace: default
Labels:
Annotations:
Image pull secrets:
Mountable secrets:
Tokens:
Events:

I have done some research, and it seems that I need to modify the kube-apiserver.yaml and add the following spec:
spec:
containers:
- command:
- kube-apiserver
- --feature-gates=LegacyServiceAccountToken=true

I am a little confused, what is the purpose of task 13. Are we supposed to create a token manually and assign it to the service accout?
Please let me know.
Thanks

Comments

  • chrispokorni
    chrispokorni Posts: 2,012

    Hi @yiwen.89,

    That is correct, the service account token needs to be created manually when desired:

    kubectl create token SERVICE_ACCOUNT_NAME [options]

    Regards,
    -Chris

  • ccorrads
    ccorrads Posts: 1
    edited May 24

    Ah! I ran into the same problem, breaking change in v1.24 - I would presume updating the content at 6.6.10 to instruct the learner "...creation of the service account and token" is vague enough without giving the answer away, but also does not cause confusion as it does today.

    Also, in the learning lab section 6.3.1 - this should be updated as well. I am running a lab environment on Ubuntu 20.04 locally on kubernetes v1.26.1 and the output of

    kubectl get secrets --all-namespaces

    only lists secrets which I have made in previous labs, no service account secrets.

  • cameronkerrnz
    cameronkerrnz Posts: 5

    Do the tokens actually need to be created by an admin though?

    I answered this question (hopefully correctly) by changing my securityreview pod to run with pod.spec.serviceAccountName: securityaccount. I then inspected the secrets mounted in the pod:

    k exec -it securityreview -- cat /var/run/secrets/kubernetes.io/serviceaccount/token > /tmp/securitytoken

    It started with the same content as was indicated in the question.

    Indeed, if you create it manually with kubectl create token ... it is meant to be a time-limited token.

    The required reading would be the following page, which describes the change and some of the rationale.

    https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount

Categories

Upcoming Training