How does kubectl create token work?
Assuming I have service account myserviceaccount, I can request a service account token with kubectl token create
However, this token doesn't appear as a secret when I kubectl get sa (SECRET column is still 0, as before token creation) or when I kubectl get secrets
So where is the token stored after creation? Or it's something like JWT authentication mechanisms, where token is signed from the server but doesn't necessarily exist on the server anymore? How does it work?
Also, in help section of kubectl create token it is mentioned that we can bound created token to a Secret or a Pod with --bound-object-kind and --bound-object-name but I cannot see the effect of this flag. What does it do?
Comments
-
From Generating temporary identities for Service Accounts
Now that you know how tokens are mounted, you might wonder why Kubernetes decided to move on from creating tokens in Secrets.
There are a few reasons, but it boils down to:
- Tokens created with a Secret don't expire. Ever.
- When you created a Service Account, the Secret with the token was created asynchronously. This introduced a few race conditions when writing scripts that would create a Service Account and retrieve the token from the Secret.
But what if you need a token but don't need a pod?
Is there a way to obtain the token without mounting the projected volume?
Kubectl has a new command to do just that:
$ kubectl create token test eyJhbGciOiJSUzI1NiIsImtpZCI6ImctMHJNO…
That token is temporary, just like the one mounted by the kubelet.
You will see a different output if you execute the same command again.
Is the token just a long string?
0
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 750 Linux Foundation IT Professional Programs
- 373 Cloud Engineer IT Professional Program
- 169 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 4 DevOps & GitOps IT Professional Program
- 99 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 1 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 1 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 792 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 87 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 106 Mobile Computing
- 18 Android
- 73 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 392 Off Topic
- 121 Introductions
- 181 Small Talk
- 29 Study Material
- 955 Programming and Development
- 310 Kernel Development
- 627 Software Development
- 984 Software
- 376 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)