Service Account Token is not created and appended to the Service Account.
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4.11
- 4.12
- 4.13
- 4.14
Issue
When creating a Service Account (SA), there is no auto-generation of a secret-based service account token anymore. This used to be done automatically up to OpenShift 4.10.
Resolution
You have access to the cluster as a user with the cluster-admin role and have created a service account. This procedure assumes that the service account is named build-robot. Create the bound service account token outside the pod by running the following command:
$ oc create token build-robot
Root Cause
Versions of Kubernetes before v1.22 automatically created credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods. In more recent versions, including Kubernetes v1.28, API credentials are obtained directly by using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments