The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Kubernetes 1.24 -- No Secret Created for Service Accounts

Will Hallam
ServiceNow Employee
ServiceNow Employee

‎01-23-2023 10:45 AM - edited ‎01-23-2023 10:47 AM

Symptoms

When creating a Kubernetes service account, e.g., for use by Discovery, using "kubectl describe secret" to retrieve the bearer token returns no content.

 

Diagnosis

Kubernetes 1.22 and higher no longer creates a secret for a service account.  An alternate "token" facility is used by pods which run under a service account.

Solution

A secret can still be created manually, using a manifest such as the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: servicenow-discovery
  namespace: default
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: servicenow-discovery-token
  namespace: default
  annotations:
    kubernetes.io/service-account.name: "servicenow-discovery"
---
apiVersion: v1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: read-only
rules:
- apiGroups:
    - apps
    - extensions
    - "*"
    - ""
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: discovery-global
subjects:
- kind: ServiceAccount
  name: servicenow-discovery
  namespace: default
- kind: User
  name: servicenow-discovery
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: read-only
  apiGroup: rbac.authorization.k8s.io
0 Helpfuls
  • 4,052 Views
Version history
Last update:
‎01-23-2023 10:47 AM
Updated by:
ServiceNow Employee
Contributors