K
Q

How to avoid default secret being attached to ServiceAccount?

5/30/2017

I'm trying to create a service account with either no secrets or just secret I specify and the kubelet always seems to be attaching the default secret no matter what.

Service Account definition

apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  name: test
secrets:
  - name: default-token-4pbsm

Submit

$ kubectl create -f service-account.yaml
serviceaccount "test" created

Get

$ kubectl get -o=yaml serviceaccount test
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  creationTimestamp: 2017-05-30T12:25:30Z
  name: test
  namespace: default
  resourceVersion: "31414"
  selfLink: /api/v1/namespaces/default/serviceaccounts/test
  uid: 122b0643-4533-11e7-81c6-42010a8a005b
secrets:
- name: default-token-4pbsm
- name: test-token-5g3wb

As you can see above the test-token-5g3wb was automatically created & attached to the service account without me specifying it.

As far as I understand the automountServiceAccountToken only affects mounting of those secrets to a pod which was launched via that service account. (?)

Is there any way I can avoid that default secret being ever created and attached?

Versions

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.4", GitCommit:"d6f433224538d4f9ca2f7ae19b252e6fcb66a3ae", GitTreeState:"clean", BuildDate:"2017-05-19T20:41:24Z", GoVersion:"go1.8.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.4", GitCommit:"d6f433224538d4f9ca2f7ae19b252e6fcb66a3ae", GitTreeState:"clean", BuildDate:"2017-05-19T18:33:17Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
-- Radek Simko
kubernetes

Similar Questions

How to set default value for Kubernetes ConfigMap (or does Helm overwrite ConfigMap values?)
Kubernetes Deployments and Init Containers
Extending Docker JBoss WildFly server not working
Get image name within container

1 Answer

6/6/2017

Your understanding of automountServiceAccountToken is right it is for pod that will be launched.

The automatic token addition is done by Token controller. Even if you edit the config to delete the token it will be added again.

You must pass a service account private key file to the token controller in the controller-manager by using the --service-account-private-key-file option. The private key will be used to sign generated service account tokens. Similarly, you must pass the corresponding public key to the kube-apiserver using the --service-account-key-file option. The public key will be used to verify the tokens during authentication.

Above is taken from k8s docs. So try not passing those flags, but not sure how to do that. But I not recommending doing that.

Also this doc you might helpful.

-- surajd
Source: StackOverflow