dockerkubernetes

Kubernetes service account doesn't have token?

I have a few kubernetes service accounts.

I want to login kubernetes dashboard.

$kubectl get sa -n kubernetes-dashboard
NAME                   SECRETS   AGE
whitebear              0         9m37s
default                0         15m
kubernetes-dashboard   0         15m

However service account does'nt have token.

$kubectl describe sa whitebear -n kubernetes-dashboard
Name:                whitebear
Namespace:           kubernetes-dashboard
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

How can I create the token for account?

I am using docker for mac, local environement.

Thank you very much.

Solution

thanks to @Sai Chandini Routhu!!

I made token and login successfuly

kubectl create token default

However it was not enough to use dashboard

I make cluster role

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["*"]
  verbs: ["*"]

then bind this to my account.

kubectl create clusterrolebinding service-reader-pod \
  --clusterrole=service-reader  \
  --serviceaccount=default:whitebear

Now I can login and operate dashboard!

Solution

  • Any processes or applications running inside the pod of the Kubernetes cluster can gain access to the cluster by obtaining service account authentication from the API server.

    AS per this doc by @pramodAIML

    When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.

    For describing the service account:

    you have to type the following kubectl command:

    Kubectl describe service account my- web page-sa

    So if you carefully watch the output you will see that the Tokens attribute is created with the value.This token is stored as a secret object, this secret object is attached to the service account:my-webpage-sa.

    To view the secret object :

    If you want to view whats the content of the secrte object we can type the following command

    $ kubectl describe secret <token-value>

    To obtain the necessary data from the Kubernetes cluster API server, this key can be exchanged as an authentication bearer token in your REST API call.

    Refer this doc for more information about Using service account tokens to connect with the API server