Hiya all,
I’m having a weird issue with my k8s cluster (1.15.11). All secrets of type service-account-token are being continuously recreated. And I can’t really find any traces in the logs. Has anyone seen anything similar or can point where to look at? Thanks
Kubernetes version: 1.15.11
Cloud being used: VM on-prem
Installation method: kubespray
Host OS: Centos 7
CNI and version: –
CRI and version: –
Hi @ndemeshchenko,
A secret of type service-account-token that instantly reappears after manual deletion (e.g. via kubectl delete secret <SECRET>) is likely to be holding the API token corresponding to a ServiceAccount you created in your cluster. From the docs:
A controller loop ensures a Secret with an API token exists for each ServiceAccount.
TokenController runs as part of
kube-controller-manager. It acts asynchronously. It:
- watches ServiceAccount creation and creates a corresponding ServiceAccount token Secret to allow API access.
- watches ServiceAccount deletion and deletes all corresponding ServiceAccount token Secrets.
- watches ServiceAccount token Secret addition, and ensures the referenced ServiceAccount exists, and adds a token to the Secret if needed.
- watches Secret deletion and removes a reference from the corresponding ServiceAccount if needed.
Further reading: