New service account tokens are not signed

11/1/2019

When I create a new service account token in Kubernetes, it is not signed. I am using the command

kubectl create -f default-token-create.yaml

The yaml is the following

    apiVersion: v1
    kind: Secret
    metadata:
     name: default-token-abcd  
     namespace: staging
     annotations:
       kubernetes.io/service-account.name: default
       kubernetes.io/service-account.namespace: staging
    type: kubernetes.io/service-account-token

I also verified that the ca cert for kubernetes is associated with the api-server. This was previously working and now is not.

What am I missing?

I have tried creating a new service account and having kubernetes create the token as well as using the above script to manually create one. Neither works.

This is the create-token yaml:

    apiVersion: v1
    kind: Secret
    metadata:
     name: default-token-abcd  
     namespace: staging
     annotations:
       kubernetes.io/service-account.name: default
       kubernetes.io/service-account.namespace: staging
    type: kubernetes.io/service-account-token

Expected results: A token created that is a proper jwt with the jwt header as well as the correct signature.

-- Bre Gielissen
google-kubernetes-engine
kubernetes

1 Answer

11/1/2019

To use the .yaml file you provided a ServiceAccount with name default should exist.

I suggest that you create a ServiceAccount via kubectl or yaml file, a token should be generated automatically. It will be placed in Secret resource, which you can later fetch via kubectl.

-- Danil Beltyukov
Source: StackOverflow