K
Q

No API token found for service account \"default\"

3/15/2018

Not Able To Create Pod in Kubernetes Version: v1.10.0-beta.3

When I create pod on the master node I face the following error:

kubectl create -f ./nginx-rc.yaml

ERROR:
No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

  1. executed command : openssl genrsa -out /tmp/serviceaccount.ket 2048

  2. modified the /etc/kubernetes/apiserver file to add following :

    KUBE_API_ARGS="--service_account_key_file=/tmp/serviceaccount.key"

  3. modified the /etc/kubernetes/controller-manager and add following:

    KUBE_CONTROLLER_MANAGER_ARGS="--
service_account_private_key_file=/tmp/serviceaccount.key"

  4. restarted the Kubernetes but I face still the same error:

    No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

An another way remove SecurityContextDeny,ServiceAccount on apiservice before:

KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"

after:

KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,ResourceQuota"

still error:

No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

How can I solve it?

-- wwd
kubernetes
kubernetes-security

Similar Questions

Fail to replace kubernetes statefulsets using io.fabric8.kubernetes-client
Kubernetes - communication between services
Kubeadm join not working with the hostname of the device
How to change the schedule of a Kubernetes cronjob or how to start it manually?

1 Answer

3/24/2018

I faced same issue, and followed following steps.

  1. Check the last section of following page and match --admission-control according to your Kubernetes version https://kubernetes.io/docs/admin/admission-controllers/
  2. Kube-Api server must have "--service-account-key-file" and it should point to the public key used by API server for authentication
  3. Kube-Controller must have "--service-account-private-key-file" and it should point to the private key used by API server for authentication
  4. Make sure API Server started first and then Controller service started and make sure Controller service is not throwing any error on startup.

Verify following things as well

  1. kubectl get serviceaccounts --> Output must show default account with one secret. enter image description here

  2. kubectl get secrets --> Output must have default token for service account enter image description here

  3. kubectl describe secrets/default-token-qxxw6 --> It must show ca.crt and token under Data section enter image description here

If nothing works then stop your cluster,s all services on Master and Nodes. Then remove clean ETCD DB, load your network configs to ETCD and start the cluster as a fresh cluster.

-- xs2rashid
Source: StackOverflow