Service account is getting created without a secret

General Discussions microk8s
1

Whenever I create a ServiceAccount it appears to be without a Secret. What must I enable/do to make sure that every ServiceAccount I create automatically gets a Secret object created for it?

This is the microk8s version I’m using:
installed: v1.18.13 (1854) 199MB classic

2

I experience the exact same behavior. Even when enumerating the secrets, i do not see any service account tokens there.

I found several tutorials, all showing different behavior (e.g. https://youtu.be/wN6FlmPy2qA?t=417) where:

micok8s.kubectl get secrets --all-namespaces

returns a long list of secrets and service account tokens. Using the command in my environment just lists three secrets for the kubernetes-dashboard.

I have the following addons installed: dashboard, ingress, rbac, dns, storage.

When I create a service account manually and afterwards inspect it, there is also no secret referenced:

microk8s.kubectl create serviceaccount test
microk8s.kubectl get serviceaccount test -o yaml

Outputs:

apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: “2022-05-29T06:12:10Z”
name: test
namespace: default
resourceVersion: “89419”
uid: ced23327-6bf3-41cb-af58-395b4826f415

First I thought this might be caused by using Kubernetes 1.24. Now I’m more confused as you describe a similar behavior in 1.18.xx

Any can explain what is we did wrong?

3

So for Kubernetes Version 1.24 i found the solution here:

Tokens for ServiceAccounts have to be requested over the kubeapi:

kubectl create token cicd
kubectl create token cicd --duration=999999h

4

I already tried all documentation I could find, and this blog that is mentioned above.
But I wasn’t able to find a solution.
When I try to create a service-account-token for the SA I get an error.
microk8s, 1.24

apiVersion: v1                                                                                                                                                                                                                         kind: Secret
metadata:
 name: my-secret
 namespace: test01
annotations:                                                                                                                                                                                                                                   
   kubernetes.io/service-account.name: "mysa"
type: kubernetes.io/service-account-token 

The Secret "my-secret" is invalid: type: Invalid value: "kubernetes.io/service-account-token": field is immutable

Service account shows up in namespace.
Anyone with an idea or a link to docs I might missed.

5

Ok I might have found the problem.
I randomly changed the metadata.name to the exact name of the ServiceAccount. Then it was created.
If anyone has some information, docs, etc for me why that is and where those relations are explained. That would be awesome.