Unable to get ServiceAccount token in OpenShift 4
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4.x
- Red Hat OpenShift Service on AWS (ROSA)
- 4.x
- Red Hat OpenShift Dedicated (OSD)
- 4.x
- Azure Red Hat OpenShift (ARO)
- 4.x
Issue
- Not able to download the
ServiceAccount kubeconfig file
by clicking on Download kubeconfig file viaOpenShift Web Console
. When this procedure is executed, the warning message "Unable to get ServiceAccount token" is displayed.
Resolution
Starting with OpenShift 4.11, the way the tokens for serviceaccount
are created is changing as explained in How to create kubeconfig for a certain serviceaccount in OpenShift 4.11?, and in OpenShift 4.13 the Download kubeconfig file option described below was removed by OCPBUGS-7308.
Download the kubeconfig file in older OpenShift releases
If a ServiceAccount token secret
is needed, the TokenRequest API can be used to request bound service account tokens or create a ServiceAccount token secret.
After creating a new ServiceAccount token secret
, you can edit the ServiceAccount
and append it to the list of mountable secrets. On this way, the Download kubeconfig file option would be possible. Example:
kind: ServiceAccount
apiVersion: v1
metadata:
name: sa-sample
namespace: sample
secrets:
- name: secret-sa-sample
- name: sa-sample-dockercfg-bw2bq
imagePullSecrets:
- name: sa-sample-dockercfg-bw2bq
Root Cause
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
-
The message is related to a change introduced in OCP 4.11:
LegacyServiceAccountTokenNoAutoGeneration is on by default
To align with upstream Kubernetes having moved the LegacyServiceAccountTokenNoAutoGeneration feature gate to beta and enabling it by default, OpenShift Container Platform now also follows this security feature and releases with the feature enabled. As a result, when creating new service accounts (SA), a service account token secret is no longer automatically generated. Previously, OpenShift Container Platform automatically added a service account token to a secret for each new SA.
Service Account token secrets still appear as auto-generated in OpenShift Container Platform 4.11. However, instead of two secrets per Service Account, there will now be only one, which will be further reduced to zero in a future release. These tokens do not work. For now,
dockercfg
secrets are still being generated as secrets and no secrets will be deleted during upgrades.After updating to 4.11, existing service account token secrets are not deleted and continue to function as expected.
-
Creating a new
ServiceAccount
on OCP 4.11 does not automatically creates a token and hence onlysecret/dockercfg
is added to the list of mountable secrets.
Diagnostic Steps
- Access the
OpenShift Web Console
, and create a newProject
on Home > Projects > Create Project - Go to User Management > ServiceAccounts and create a new
ServiceAccount
by click on Create ServiceAccount - Click on the new
ServiceAccount
created, and then on Actions > Download kubeconfig file
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments