Fail to connect to kubectl from client-go - /serviceaccount/token: no such file

6/10/2018

I am using golang lib client-go to connect to a running local kubrenets. To start with I took code from the example: out-of-cluster-client-configuration.

Running a code like this: $ KUBERNETES_SERVICE_HOST=localhost KUBERNETES_SERVICE_PORT=6443 go run ./main.go results in following error:

panic: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

goroutine 1 [running]:

/var/run/secrets/kubernetes.io/serviceaccount/

I am not quite sure which part of configuration I am missing. I've researched following links :

But with no luck. I guess I need to either let the client-go know which token/serviceAccount to use, or configure kubectl in a way that everyone can connect to its api.

Here's status of my kubectl though some commands results:

$ kubectl config view

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://localhost:6443
  name: docker-for-desktop-cluster
contexts:
- context:
    cluster: docker-for-desktop-cluster
    user: docker-for-desktop
  name: docker-for-desktop
current-context: docker-for-desktop
kind: Config
preferences: {}
users:
- name: docker-for-desktop
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

$ kubectl get serviceAccounts

NAME        SECRETS   AGE
default     1         3d
test-user   1         1d

$ kubectl describe serviceaccount test-user

Name:                test-user
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   test-user-token-hxcsk
Tokens:              test-user-token-hxcsk
Events:              <none>

$ kubectl get secret test-user-token-hxcsk -o yaml

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0......=
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSX......=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: test-user
    kubernetes.io/service-account.uid: 984b359a-6bd3-11e8-8600-XXXXXXX
  creationTimestamp: 2018-06-09T10:55:17Z
  name: test-user-token-hxcsk
  namespace: default
  resourceVersion: "110618"
  selfLink: /api/v1/namespaces/default/secrets/test-user-token-hxcsk
  uid: 98550de5-6bd3-11e8-8600-XXXXXX
type: kubernetes.io/service-account-token
-- shershen
client-go
go
kubectl
kubernetes

1 Answer

9/25/2018

Just to make it clear, in case it helps you further debug it: the problem has nothing to do with Go or your code, and everything to do with the Kubernetes node not being able to get a token from the Kubernetes master.

In kubectl config view, clusters.cluster.server should probably point at an IP address that the node can reach.
It needs to access the CA, i.e., the master, in order to provide that token, and I'm guessing it fails to for that reason.
kubectl describe <your_pod_name> would probably tell you what the problem was acquiring the token.

Since you assumed the problem was Go/your code and focused on that, you neglected to provide more information about your Kubernetes setup, which makes it more difficult for me to give you a better answer than my guess above ;-)

But I hope it helps!

-- samhain1138
Source: StackOverflow