New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SUPPORT] Kubernetes ServiceAccount no longer auto-generates secret #133
Comments
Thanks for reporting. Trousseau is marked as supporting Kubernetes versions up to 1.22.
Let me crack these this Thursday. |
Hey @M-gre, it might be related to minikube - here is my steps with rancher-desktop:
then create the vault-auth ServiceAccount:
then create the vault-auth Secret:
with as YAML manifest: ---
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: vault-auth
annotations:
kubernetes.io/service-account.name: "vault-auth"
type: kubernetes.io/service-account-token then apply RBAC:
with as YAML manifest: ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: kube-system finally check the token generation by Kubernetes:
and the linked with the ServiceAccount:
Notes:
This might be an expected outcome that needs to be confirmed. Obviously, it changes the deployment as the |
I found an explanation here, this is the default behaviour in Kubenetes v1.24: https://itnext.io/big-change-in-k8s-1-24-about-serviceaccounts-and-their-secrets-4b909a4af4e0, https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#no-really-you-must-read-this-before-you-upgrade and https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets: "The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (kubernetes/kubernetes#108309, @zshihang)" |
There is a bit more than that from a deployment perspective as the created token Secret is not showing up as linked to the ServiceAccount. |
The documentation has been updated accordingly: https://docs.trousseau.io/trousseau/deployment/ |
Summary
As of 1.24 Kubernetes no longer auto-generates secrets for ServiceAccounts. I'm having trouble working around this limitation.
Detailed Description
I'm trying to connect my Vault instance as described in the wiki. Due to the mentioned change in 1.24 of kubernetes the tutorial provided in the wiki is no longer accurate. When creating the ServiceAccount and exporting the secrets there is no return value. I have tried to work around this issue with the suggested workaround but kubernetes is not generating a secret for me to export.
Expected Behavior
After creating a ServiceAccount and creating a service account token secret I should be able to export a secret for further use.
Current Behavior
The secret for the service account does not get populated.
Steps to Reproduce
kubectl -n kube-system create serviceaccount vault-auth
serviceaccount/vault-auth created
secret/vault-auth-secret created
3.
Context (Environment)
This is my first try connecting Vault to Kubernetes. I wanted to follow along the tutorial to get the connection working.
I'm running my cluster in minikube (not sure if this is relevant).
The text was updated successfully, but these errors were encountered: