4

I am using Kubernetes version 1.24, I have created a secret for my service account manually, but when I run kubectl get serviceaccounts, it is showing that I do not have any secrets for that service account?

Coder3000
  • 119
  • 2
  • 7
  • You need to edit the `ServiceAccount` to add the secret in it. Simply creating the secret will not add it to any SA. – zer0 Jul 29 '22 at 10:06
  • You can edit your service account by command: `kubectl patch serviceaccount SA_NAME -p '{"imagePullSecrets": [{"name": "DOCKER_REGISTRY_SECRET"}]}' – m-szalik Jan 02 '23 at 16:20

3 Answers3

4

If you are on K8s version 1.24

The serviceaccount won't create the secret automatically.

You have to create it manually.

kubectl create sa <serviceaccount-name>

Example :

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: token-secret
  annotations:
    kubernetes.io/service-account.name: "<SA name>"

If you just want to create the token you can use the : kubectl create token <Name>

Read more about it : https://medium.com/@harsh.manvar111/k8s-v1-24-is-unable-to-create-a-serviceaccount-secret-798f8454e6e7

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • I have added the secret using the ``kubectl edit sa ``` command, but would I be able to configure it so that all future ServiceAccounts automatically creates a secret? – Coder3000 Jul 29 '22 at 13:08
  • kubectl create sa will auto create the secret token for you however if with the edit you can edit the existing created secret and add to SA. – Harsh Manvar Jul 29 '22 at 13:27
  • I have done that, but I am using Kubernetes version 1.24 and it is not creating the secrets for the service accounts? – Coder3000 Jul 29 '22 at 13:35
  • When creating a service account via azure I am running into some issues since the service account does not have a secret associated to it – Coder3000 Jul 29 '22 at 20:53
  • 1
    Oh yes if you are on 1.24 secret wont get created automatically for SA. – Harsh Manvar Jul 29 '22 at 22:23
  • 1
    Great answer! And also, I concur: you can achieve this also through official Kubernetes Clients for Python, Java etc. I questioned this same thing years ago [here](https://stackoverflow.com/questions/68759882/login-to-a-gitlab-repo-from-kubernetes-python-client). Hope it can be useful – Marco Frag Delle Monache Apr 14 '23 at 07:47
2

I had to search a little bit to get it all together: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/

Mainly it's just creating a secret resource file secret.yaml.

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: <name of the secret>
  annotations:
    kubernetes.io/service-account.name: "<name of the serviceaccount>"

kubectl apply -f secret.yaml

And adding the secret to the service account.

# if you have already a serviceaccount you need only the edit line
kubectl create serviceaccount <name of the serviceaccount>
kubectl edit serviceaccount <name of the serviceaccount>

And then just add the created secret (last two lines):

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2023-04-19T06:31:47Z"
  name: <name of the serviceaccount>
  namespace: default
  resourceVersion: "312345558"
  uid: 92f6ac28-cab4-41d2-b861-6e998a7cb644
secrets:
- name: <name of the manual created secret>
deckerch
  • 197
  • 1
  • 8
0

When creating a secret manually, it needs to be manually added to the ServiceAccount. You can use kubectl edit for this.

zer0
  • 2,153
  • 10
  • 12