On creating a new service account, it has no tokens attached to it. This is expected.
When we create a new token on the service account using kubectl, the token is created. However, the kubectl describe command on the service account still does not show any token.
When this service account is linked to a pod specification, how does Kubernetes know which token is to be used? How does it maintain the link between the service account and the created token. And why does it now show the token in the output of the describe serviceaccount command?
The automatic creation of a kube secret containing a service account token was removed from Kubernetes in v1.24 as it is a security risk, because all pods created with that service account would use the same token found in the secret, and that token would never expire. Plus the token was easily accessible to any user with permission to view secrets.
Now, when you associate a service account with a pod, a unique token is generated for that pod alone and automatically mounted directly inside the container via a projected volume. This token is also rotated by API server roughly once an hour.
If you create a deployment or replicaset with multiple replicas, each replica will have a unique token.
1 Like