Why is `/var/run/secrets/kubernetes.io/serviceaccount/token` automatically generated?

nimdrak · April 27, 2024, 4:25am

This token is automatically generated when automountServiceAccountToken is enabled.
But I can’t understand why it is.

This token has no role. So Developer should bind a proper role of the service account which is the owner of token, although it is generated automatically.
It is confusing because since kubernetes 1.24, ServiceAccount cannot have its secret (token) automatically. We need to manually create the secret. But it has /var/run/secrets/kubernetes.io/serviceaccount/token automatically. It looks confusing.

Would anyone explain why it is designed like this?

Topic		Replies	Views
ServiceAccount's token being continuously recreated General Discussions	1	1789	January 8, 2021
Why are the secret content of the default serveraccount are mounted inside the pod? General Discussions	0	436	September 24, 2021
Projected Volume for Service Accounts General Discussions	7	1370	October 3, 2019
Can you have two containers in a pod have different service accounts? General Discussions	0	1343	February 23, 2022
Add custom claims into bound service account JWT token? General Discussions authn , authz	0	642	October 24, 2022