Question about service accounts: From version 1.24 onwards the tokens are create . . .

kodekloud · November 17, 2022, 2:18pm

Chandu:
Question about service accounts: From version 1.24 onwards the tokens are created with expiry as per @Mumshad Mannambeth. So, I created a pod and copied the token from the secrets path. By the time when I got the token from the location it says it is expired as per the time it shows in the http://jwt.io|jwt.io website. If it is already expired when will pod actually renew this token? Who will renew the token (If my assumption of token be renewed is correct)?

{
  "aud": [
    "system:konnectivity-server"
  ],
  "exp": 1697922825,
  "iat": 1666386825,
  "iss": "<https://kubernetes.default.svc.cluster.local>",
  "<http://kubernetes.io|kubernetes.io>": {
    "namespace": "default",
    "pod": {
      "name": "delete",
      "uid": "77bb4c67-3d4d-4f79-b935-3ddf3f937a60"
    },
    "serviceaccount": {
      "name": "default",
      "uid": "5f20bebf-c528-4a9d-bfa1-da13aad3abd6"
    },
    "warnafter": 1666390432
  },
  "nbf": 1666386825,
  "sub": "system:serviceaccount:default:default"
}

kodekloud · November 17, 2022, 2:18pm

Alistair Mackay:
Hi @Chandu
The service account token is automatically recycled by the API server. You will note that if you get back the pod with -o yaml that the volume it is mounted on is a projected volume. This is a projection over the API machinery.

This change for 1.24 was designed with security in mind, such that the token can recycle, and its not placed in a secret with an indefinite lifetime, that can be easily examined by anyone with rights to read secrets.