Menu

Dipesh Majumdar

Blog and Paintings

Service Account Mystery

[dipesh.majumdar@demo ~]$ k -n mns get all
No resources found.

Though SA is present but still get all doesn't show it. kubectl -n namespace get all also doesn't show secrets and configmaps

[dipesh.majumdar@demo ~]$ k -n mns get sa
NAME      SECRETS   AGE
default   1         1d

[dipesh.majumdar@demo ~]$ k -n mns get secret
NAME                  TYPE                                  DATA   AGE
default-token-s8d4x   kubernetes.io/service-account-token   3      1d
istio.default         istio.io/key-and-cert                 3      1d
istio.sa1             istio.io/key-and-cert                 3      1m

Now Let's Create a Service Account - 

[dipesh.majumdar@demo ~]$ k -n mns create sa sa1
serviceaccount/sa1 created
[dipesh.majumdar@demo ~]$ k -n mns get secrets
NAME                  TYPE                                  DATA   AGE
default-token-s8d4x   kubernetes.io/service-account-token   3      1d
istio.default         istio.io/key-and-cert                 3      1d
istio.sa1             istio.io/key-and-cert                 3      1m
sa1-token-22rr5       kubernetes.io/service-account-token   3      7s
[dipesh.majumdar@demo ~]$ k -n mns get secrets sa1-token-22rr5 -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURERENDQWZTZ0F3SUJBZ0lSQUlDWDRpQjJvb3l3VEhuSEl5MlIxekF3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa056YzJaREJpWkRrdFlXTXhNUzAwTVdVeExXRmtOVFV0TmpFd05EZ3paVFZpTWpRegpNQjRYRFRFNU1EUXdOREEyTlRVd01Gb1hEVEkwTURRd01qQTNOVFV3TUZvd0x6RXRNQ3NHQTFVRUF4TWtOemMyClpEQmlaRGt0WVdNeE1TMDBNV1V4TFdGa05UVXROakV3TkRnelpUVmlNalF6TUlJQklqQU5CZ2txaGtpRzl3MEIKQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbk92RW1HVWdzdkIyYjN6ZzRUUWllbk9kWnNLRE5aVkhOb3ptK1NtegpXOWxxWTd2NFpiVGphdEhsS1BDVjFnUEtyNmx5SHU1MUg1MUp1VGMrR0xZOWZtZUdyemFrdGh6Y3pYYys2MmVYClVlaHZJUjRkNG1ocmFRQnNzalMva3J6ZGtCWWtIZWswUVpnbWJ2Ri9oTC94MFN0dWZqN2dYVHpjUWMyRXZvZ3AKd1FaQzVla0wyUUdXZ3FHOTFkQTdDTUw4aDVjNGRuZ2svdDFCR0tuSW1nalc4b3lLb2xTRlpXN1RHMmM5b3dJLwpGSklXN25adWhiaXF3cnNqSXNBbnp1bnhaeG1ZR1E5L2JQYXJEcHYrRGxvTFFYcjRuV2pUSHRJR3JPbktXeHBzCnZ4S2pDUWdDY3pyL29JMWkzdG00QzVZQmMxT3FDelExZ1E2V1Q0Y0NRL2x0RlFJREFRQUJveU13SVRBT0JnTlYKSFE4QkFmOEVCQU1DQWdRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQQpWMnVzOTlNTko5dW1mMCtaUXQ4SDYvd3hnUTR1ZHVpODJEK0FuNEZTckdBWm9sN3Q2bkt2bU4yVjhZM2FkalVkCm1yUEVmSkZ4cHpzbFhhME03TVFNdzJ3YjZmemNEYXdlNUlpOTljZ2JuanFyNW1uWDBHek0vcmFSLzlsQ21CY3AKSEdUbmp3cElQQ25HbW54WjBVcmJMa2hwYjl2b2phNEhJRnF6WGpRVTlpQ1FGTkxEZFB5WHdnRHBsWHhlS21RNAoyWVlPdWc5QTJSLzVycDdiblJqQUtYd3pwV1JOTWhPQktENjNBcDZoK2loSXREK0xHN1R1U2ZTcUpjc0hBZnRZCitTUnlFMzVRTGxhL0hveE9EZ0dUcGZNZXQ3UXQzMXc2bS8zckx1bk83OEY2cnBJZ0VBbnRwbVZhcWE3YUd5ZUsKYXlWb1o5R2k5UmluNjZudUlYRjhEUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  namespace: bW5z
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnRibk1pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pYzJFeExYUnZhMlZ1TFRJeWNuSTFJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1Ym1GdFpTSTZJbk5oTVNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExuVnBaQ0k2SWpJME1EZGtZak0wTFRVNE56SXRNVEZsT1MwNVpqSmpMVFF5TURFd1lXWXdNREV6TVNJc0luTjFZaUk2SW5ONWMzUmxiVHB6WlhKMmFXTmxZV05qYjNWdWREcHRibk02YzJFeEluMC41S1JHeFBTYXpwenBieDh3LVNsNEY3elVudUtLWlFZejhIZ2w0SXp5R0RWMjNQcmI1TkRnbVFDOUFTZTJlazRQUzJ5V0ptU0U1NWpLaFpYMVVIcVlwZWhsSm9sYlBBenVaTGtmXzRGa3RwNEJ6NTFCbWN2UUJQTzVGQUJsM2U3ZmtCNGNfb3Y2cmZQb3UzOVhaVEZqV2g5T1NOdkk3dEN5dVVUVGdYN2VQZkhiZi0tcXFXdzNhenlXZFdmZjVTYjR1bjN1aE9GQ2p5R1doc2dWRDBFOVZxSnlEZkJNRlNCdDA5bmgzTkp4bHpMTGF0WmZVZFR4MTNHaXk3MzNudEI0NWEwU0FLajdBci1BZVRzMEdFNVk3QUxsTE5NVEEzWDZVRmpxalZWZ0wzX01TV1RxdlpFOGVlZXBwOXhkZkZDQWxlRDJBOE9VWERmbXAxVUFaSGJjVGc=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: sa1
    kubernetes.io/service-account.uid: 2407db34-5872-11e9-9f2c-42010af00131
  creationTimestamp: "2019-04-06T13:44:46Z"
  name: sa1-token-22rr5
  namespace: mns
  resourceVersion: "517958"
  selfLink: /api/v1/namespaces/mns/secrets/sa1-token-22rr5
  uid: 240ae6a4-5872-11e9-9f2c-42010af00131
type: kubernetes.io/service-account-token
[dipesh.majumdar@demo ~]$

k -n mns run nginx --restart=Never --image=nginx --dry-run -o yaml > pod.yaml  #to the file added the yellow highlight part

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  serviceAccountName: sa1
  containers:
  - image: nginx
    name: nginx
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

[dipesh.majumdar@demo ~]$ k -n mns get po nginx -o yaml --export |grep -A5 -i volume
Flag --export has been deprecated, This flag is deprecated and will be removed in future.
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: sa1-token-22rr5
      readOnly: true
  dnsPolicy: ClusterFirst
  nodeName: gke-standard-cluster-1-default-pool-c7a16408-wk8x
--
  volumes:
  - name: sa1-token-22rr5
    secret:
      defaultMode: 420
      secretName: sa1-token-22rr5
status:

[dipesh.majumdar@demo ~]$ k -n mns exec -it nginx -- ls -ltra /var/run/secrets/kubernetes.io/serviceaccount
total 4
lrwxrwxrwx 1 root root   12 Apr  6 14:05 token -> ..data/token
lrwxrwxrwx 1 root root   16 Apr  6 14:05 namespace -> ..data/namespace
lrwxrwxrwx 1 root root   13 Apr  6 14:05 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root   31 Apr  6 14:05 ..data -> ..2019_04_06_14_05_45.891537062
drwxr-xr-x 2 root root  100 Apr  6 14:05 ..2019_04_06_14_05_45.891537062
drwxrwxrwt 3 root root  140 Apr  6 14:05 .
drwxr-xr-x 3 root root 4096 Apr  6 14:05 ..

 

[dipesh.majumdar@demo ~]$ k -n mns exec -it nginx -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtbnMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic2ExLXRva2VuLTIycnI1Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InNhMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjI0MDdkYjM0LTU4NzItMTFlOS05ZjJjLTQyMDEwYWYwMDEzMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDptbnM6c2ExIn0.5KRGxPSazpzpbx8w-Sl4F7zUnuKKZQYz8Hgl4IzyGDV23Prb5NDgmQC9ASe2ek4PS2yWJmSE55jKhZX1UHqYpehlJolbPAzuZLkf_4Fktp4Bz51BmcvQBPO5FABl3e7fkB4c_ov6rfPou39XZTFjWh9OSNvI7tCyuUTTgX7ePfHbf--qqWw3azyWdWff5Sb4un3uhOFCjyGWhsgVD0E9VqJyDfBMFSBt09nh3NJxlzLLatZfUdTx13Giy733ntB45a0SAKj7Ar-AeTs0GE5Y7ALlLNMTA3X6UFjqjVVgL3_MSWTqvZE8eeepp9xdfFCAleD2A8OUXDfmp1UA/bin/bash -c ZHbcTg[dipesh.majumdar@demo ~]$ k -n mns exec -it nginx -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
^Ccommand terminated with exit code 130
[dipesh.majumdar@demo ~]$

Note: If we had't used the sa1 service account, then the default service account and corresponding default token would be used for volume mount inside any pod created in the mns namespace.  

to disable that: automountServiceAccountToken: false

 

Go Back

Comment