Update getServiceAccountToken() to work correctly on Kubernetes 1.24+
#185
Labels
enhancement
New feature or request
Comments
unless you are mounting the manually created token into a pod, you should not add it to this list... this list is only for listing secrets that can be mounted into pods running as that service account |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
Kubernetes 1.24+ doesn't create service account token secrets by default anymore. Additionally, when creating a token secret explicitly, the secret isn't added to field
secretsin the ServiceAccount object.We need to update
getServiceAccountToken()to no longer find the token secret via the service account'ssecretsfield, but instead by looking at the secret'skubernetes.io/service-account.nameorkubernetes.io/service-account.uidannotations.Since existing ServiceAccount token secrets already have those annotations (at least secrets created on Kubernetes 1.22+), we don't need to have multiple ways to lookup secrets based on whether the ServiceAccount and token secret were created on 1.24 or before.
Alternatives
Extend the operator to add the manually created secret to the ServiceAccount's
secretsfield.The text was updated successfully, but these errors were encountered: