K
Q

New service account tokens are not signed

11/1/2019

When I create a new service account token in Kubernetes, it is not signed. I am using the command

kubectl create -f default-token-create.yaml

The yaml is the following

    apiVersion: v1
    kind: Secret
    metadata:
     name: default-token-abcd  
     namespace: staging
     annotations:
       kubernetes.io/service-account.name: default
       kubernetes.io/service-account.namespace: staging
    type: kubernetes.io/service-account-token

I also verified that the ca cert for kubernetes is associated with the api-server. This was previously working and now is not.

What am I missing?

I have tried creating a new service account and having kubernetes create the token as well as using the above script to manually create one. Neither works.

This is the create-token yaml:

    apiVersion: v1
    kind: Secret
    metadata:
     name: default-token-abcd  
     namespace: staging
     annotations:
       kubernetes.io/service-account.name: default
       kubernetes.io/service-account.namespace: staging
    type: kubernetes.io/service-account-token

Expected results: A token created that is a proper jwt with the jwt header as well as the correct signature.

-- Bre Gielissen
google-kubernetes-engine
kubernetes

Similar Questions

How to run Snakemake workflows on premise Kubernetes or OpenShift clusters?
How to manage the nginx-ingress after installation?
Laravel Application Response Time Slow on Kubernetes (EKS) vs. Baremetal
Is there any risk for co pods if we allow root user privilage for process in one pod?
How do I start my jar application from a flink docker image inside Kubernetes?

1 Answer

11/1/2019

To use the .yaml file you provided a ServiceAccount with name default should exist.

I suggest that you create a ServiceAccount via kubectl or yaml file, a token should be generated automatically. It will be placed in Secret resource, which you can later fetch via kubectl.

-- Danil Beltyukov
Source: StackOverflow