K
Q

Disable creation and use of API credentials

8/31/2016

I'm trying to spin up a new pod that doesn't automatically include a JWT for talking to the k8s cluster.

I've created a new Service Account and tried removing the built in secret, but it is automatically regenerated after each delete.

According to the secrets documentation, I should be able to disable the creation of tokens for service accounts.

The automatic creation and use of API credentials can be disabled or overridden if desired.

Where/how do I do that?

-- St. John Johnson
kubernetes

Similar Questions

Can we restart kubelet without affecting the running pods
Kubernetes API - gets Pods on specific nodes
How to get app Incremental deployment to kubernetes
Liveness probe failure output not in kubelet logs

1 Answer

8/31/2016

removing the --service-account-private-key-file argument from the controller manager will prevent auto-creation of tokens

removing the ServiceAccount admission plugin will prevent auto-mounting of tokens

however, many services are likely to depend on those tokens being present.

if you are concerned about access to the API, it is generally better to set an authorization mode other than AlwaysAllow, and use one of the modes that lets you specify policy around which users can perform which actions

-- Jordan Liggitt
Source: StackOverflow