Unable to get ServiceAccount token in OpenShift 4

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.x
  • Red Hat OpenShift Service on AWS (ROSA)
    • 4.x
  • Red Hat OpenShift Dedicated (OSD)
    • 4.x
  • Azure Red Hat OpenShift (ARO)
    • 4.x

Issue

  • Not able to download the ServiceAccount kubeconfig file by clicking on Download kubeconfig file via OpenShift Web Console. When this procedure is executed, the warning message "Unable to get ServiceAccount token" is displayed.

Resolution

Starting with OpenShift 4.11, the way the tokens for serviceaccount are created is changing as explained in How to create kubeconfig for a certain serviceaccount in OpenShift 4.11?, and in OpenShift 4.13 the Download kubeconfig file option described below was removed by OCPBUGS-7308.

Download the kubeconfig file in older OpenShift releases

If a ServiceAccount token secret is needed, the TokenRequest API can be used to request bound service account tokens or create a ServiceAccount token secret.

After creating a new ServiceAccount token secret, you can edit the ServiceAccount and append it to the list of mountable secrets. On this way, the Download kubeconfig file option would be possible. Example:

    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: sa-sample
      namespace: sample
    secrets:
      - name: secret-sa-sample
      - name: sa-sample-dockercfg-bw2bq
    imagePullSecrets:
      - name: sa-sample-dockercfg-bw2bq

Root Cause

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  • The message is related to a change introduced in OCP 4.11:

    LegacyServiceAccountTokenNoAutoGeneration is on by default

    To align with upstream Kubernetes having moved the LegacyServiceAccountTokenNoAutoGeneration feature gate to beta and enabling it by default, OpenShift Container Platform now also follows this security feature and releases with the feature enabled. As a result, when creating new service accounts (SA), a service account token secret is no longer automatically generated. Previously, OpenShift Container Platform automatically added a service account token to a secret for each new SA.

    Service Account token secrets still appear as auto-generated in OpenShift Container Platform 4.11. However, instead of two secrets per Service Account, there will now be only one, which will be further reduced to zero in a future release. These tokens do not work. For now, dockercfg secrets are still being generated as secrets and no secrets will be deleted during upgrades.

    After updating to 4.11, existing service account token secrets are not deleted and continue to function as expected.

  • Creating a new ServiceAccount on OCP 4.11 does not automatically creates a token and hence only secret/dockercfg is added to the list of mountable secrets.

Diagnostic Steps

  1. Access the OpenShift Web Console, and create a new Project on Home > Projects > Create Project
  2. Go to User Management > ServiceAccounts and create a new ServiceAccount by click on Create ServiceAccount
  3. Click on the new ServiceAccount created, and then on Actions > Download kubeconfig file

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments