ServiceAccount's token being continuously recreated

Hiya all,
I’m having a weird issue with my k8s cluster (1.15.11). All secrets of type service-account-token are being continuously recreated. And I can’t really find any traces in the logs. Has anyone seen anything similar or can point where to look at? Thanks

Cluster information:

Kubernetes version: 1.15.11
Cloud being used: VM on-prem
Installation method: kubespray
Host OS: Centos 7
CNI and version: –
CRI and version: –

Hi @ndemeshchenko,

A secret of type service-account-token that instantly reappears after manual deletion (e.g. via kubectl delete secret <SECRET>) is likely to be holding the API token corresponding to a ServiceAccount you created in your cluster. From the docs:

A controller loop ensures a Secret with an API token exists for each ServiceAccount.

TokenController runs as part of kube-controller-manager . It acts asynchronously. It:

  • watches ServiceAccount creation and creates a corresponding ServiceAccount token Secret to allow API access.
  • watches ServiceAccount deletion and deletes all corresponding ServiceAccount token Secrets.
  • watches ServiceAccount token Secret addition, and ensures the referenced ServiceAccount exists, and adds a token to the Secret if needed.
  • watches Secret deletion and removes a reference from the corresponding ServiceAccount if needed.

Further reading: