Kubernetes ServiceAccount 无法生成 token Secret排查
1. 现象
创建 ServiceAccount 不会自动生成 Secret 需要对其手动创建
cat<<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
namespace: default
EOF
$ kubectl get serviceaccounts cby
NAME SECRETS AGE
test 0 9s
2. 排查思路
手动创建 Secret 并与 ServiceAccount 进行关联绑定
cat<<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: test
annotations:
kubernetes.io/service-account.name: "test"
EOF
查询 ServiceAccount
$ kubectl describe serviceaccounts test
Name: test
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: test
Events: <none>
$
$
$ kubectl describe secrets test
Name: test
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: test
Type: kubernetes.io/service-account-token
Data
====
ca.crt: xxxx bytes
namespace: 7 bytes
token: <base64 string>
解决
- kubernetes
v1.24.0更新之后进行创建ServiceAccount不会自动生成Secret需要对其手动创建。 - 如果你还想要自动生成
Secret,那么可以给kube-controller-manager配置特性LegacyServiceAccountTokenNoAutoGeneration=false
「如果这篇文章对你有用,请随意打赏」
FEATURED TAGS
agent
apiserver
application
bandwidth-limit
cgo
cgroupfs
ci/cd
client-go
cloudnative
cncf
cni
community
container
container-network-interface
containerd
controller
coredns
crd
custom-controller
deployment
docker
docker-build
docker-image
drop
ebpf
ecology
egress
etcd
gitee
github
gitlab
golang
governance
http2
image
ingress
iptables
jobs
kata
kata-runtime
kernel
kind
kubelet
kubenetes
kubernetes
library
linux-os
logging
loki
metrics
monitor
namespace
network
network-troubleshooting
node
nodeport
pingmesh
pod
prestop
prometheus
proxyless
pvc
rollingupdate
schedule
scheduler
serverless
sidecar
sigtrem
systemd
throttling
timeout
tools
traceroute