Kubernetes: KSA must now create secret/token manually as of Kubernetes 1.24

Before Kubernetes 1.24, the creation of a KSA (Kubernetes Service Account) would also create a non-expiring secret, where the token controller would generate a token that could be used to authenticate into the API server.

As a quick example of the legacy behavior on Kubernetes < 1.24, notice how the creation of a service account named ‘legacy-behavior’ also results in a secret being created ‘legacy-behavior-token-xxxx’ that contains a ‘data.token’.

$ kubectl create sa legacy-behavior
serviceaccount/legacy-behavior created

# notice a secret was automatically created
$ kubectl get secret
NAME TYPE DATA AGE
...
legacy-behavior-token-rn99x kubernetes.io/service-account-token 3 6s

# token can be pulled from secret
kubectl get secret legacy-behavior-token-rn99x -o jsonpath='{.data.token}' | base64 -d

However, in Kubernetes 1.24, the secret is no longer generated automatically.  Now you must create the secret and use an annotation to associate it with the service account.

$ kubectl create sa k124-behavior
serviceaccount/k124-behavior created

# verify that no secret was created (expected)
$ kubectl get secrets | grep k124

# create secret manually, associate to service account with annotation
kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: k124-secret-with-token
  annotations:
    kubernetes.io/service-account.name: k124-behavior
type: kubernetes.io/service-account-token
EOF
secret/k124-secret-with-token created

# token can be pulled from secret
$ kubectl get secret k124-secret-with-token -o jsonpath='{.data.token}' | base64 -d

This additional step is not burdensome, but you must be aware of the change as you upgrade to Kubernetes 1.24.

 

REFERENCES

google ref, bearer token for KSA

stackoverflow, how to create sa for kubernetes 1.24

Jimmi Dyson, ksa what changed in 1.24

Kim Wuestkap, big change in k8s 1.24 and service accounts