Before Kubernetes 1.24, the creation of a KSA (Kubernetes Service Account) would also create a non-expiring secret, where the token controller would generate a token that could be used to authenticate into the API server.
As a quick example of the legacy behavior on Kubernetes < 1.24, notice how the creation of a service account named ‘legacy-behavior’ also results in a secret being created ‘legacy-behavior-token-xxxx’ that contains a ‘data.token’.
$ kubectl create sa legacy-behavior serviceaccount/legacy-behavior created # notice a secret was automatically created $ kubectl get secret NAME TYPE DATA AGE ... legacy-behavior-token-rn99x kubernetes.io/service-account-token 3 6s # token can be pulled from secret kubectl get secret legacy-behavior-token-rn99x -o jsonpath='{.data.token}' | base64 -d
However, in Kubernetes 1.24, the secret is no longer generated automatically. Now you must create the secret and use an annotation to associate it with the service account.
$ kubectl create sa k124-behavior serviceaccount/k124-behavior created # verify that no secret was created (expected) $ kubectl get secrets | grep k124 # create secret manually, associate to service account with annotation kubectl create -f - <<EOF apiVersion: v1 kind: Secret metadata: name: k124-secret-with-token annotations: kubernetes.io/service-account.name: k124-behavior type: kubernetes.io/service-account-token EOF secret/k124-secret-with-token created # token can be pulled from secret $ kubectl get secret k124-secret-with-token -o jsonpath='{.data.token}' | base64 -d
This additional step is not burdensome, but you must be aware of the change as you upgrade to Kubernetes 1.24.
REFERENCES
google ref, bearer token for KSA
stackoverflow, how to create sa for kubernetes 1.24