K
Q

Difference between Kubernetes Service Account Tokens from secret and projected volume

4/17/2020

When I do kubectl get secret my-sa-token-lr928 -o yaml, there is a base64 string(JWT A) value for data.token. There are other fields too, like data.ca.crt in this returned secret.

When I use projected volume with source serviceAccountToken and read the file, there is another not-base64 string(JWT B).

cat /var/run/secrets/some.directory/serviceaccount/token

Why JWT A and JWT B strings are different? The most notable difference is in JWT B iss i.e my issuer url (--service-account-issuer) and in JWT A iss i.e my issuer url iskubernetes/serviceaccount`. Aren't they both JWT service account tokens? If not then what Kubernetes API object they actually represent?

Following is my Kubernetes Pod spec (edited for brevity)

apiVersion: v1
kind: Pod
metadata:
  annotations:
  labels:
    app: sample-app
  name: sample-pod-gwrcf
spec:
  containers:
    image: someImage
    name: sample-app-container
    resources: {}
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: my-sa-token-lr928
      readOnly: true
    - mountPath: /var/run/secrets/some.directory/serviceaccount
      name: good-token
      readOnly: true
  serviceAccount: my-sa
  serviceAccountName: my-sa
  terminationGracePeriodSeconds: 30
  volumes:
  - name: good-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: my.audience.com
          expirationSeconds: 86400
          path: token
  - name: my-sa-token-lr928
    secret:
      defaultMode: 420
      secretName: my-sa-token-lr928
-- Prashant Singh Rathore
docker
jwt
kubernetes
kubernetes-secrets
oauth-2.0

Similar Questions

kubectl create / apply synchronously until each object is created
Can't Unlock WSO2 Identity Server user using the REST request
New pods not used after horizontal pod scaling in Google Kubernetes Engine
my machine have enough memory, but the kubernetes can not schedule the pod and indicate that Insufficient memory

1 Answer

4/17/2020

Aren't they both JWT service account tokens?

Yes, they are both JWT tokens.

The one you mentined as JWT A in my-sa-token-lr928 is base64 encoded as all data in every kubernetes secret.

When k8s is mounting a secret data to a pod, this data is being decoded and stored e.g. as a token file in this case.

JWT B token using Service Account Token Volume Projection is issued by kubelet and allows you for more flexibility, for example setting expiration time in contrast to Regular Service Account Tokens which once issued stays the same (unless recreated) and does not expire.

If you exec to your pod and lookup the content of these tokens what you will see are an actual JWT tokens. You can decode the data from this tokens using any jwt decoder e.g. jwt.io.

Why JWT A and JWT B strings are different?

Because they contain different data.

-- HelloWorld
Source: StackOverflow