Is it possible to set exact name of Service Account token?

0
votes

I'm trying to setup docker registry via Traefik, authenticated by a Service account bearer token. The problem is that the name of default service token secret is ended with some random characters, which can not be passed to the Ingress config, or can it?

Anyway, I want to somehow force Kubernetes to name the token in a predictable way.

The current solution is to create an API token manually.

kind: Secret
metadata:
  name: account-token
  annotations:
    kubernetes.io/service-account.name: account
type: kubernetes.io/service-account-token

Unfortunately, the original randomly named token is still in the system, and can not be removed.

If it is created before Service account it is dropped, but when after then the randomized secret is.

1
kuberneteskubernetes-security
You mean the default ServiceAccount token that is named something like default-token-r9dm9? Why do yo have to pass it to the Ingress?weibeld
@weibeld Bascially I'm trying to force traefik to authorize ingress with the service account. I'm currently experimenting with forwarding the auth to the apiserver, but geting 500 and no single log entry about the errormajkrzak

1 Answers

1
votes

It looks like creating additional API token is the only existing solution. You are able to reference an existing service account and controller will update it with the newly generated token as described below:

To create additional API tokens for a service account, create a secret of type ServiceAccountToken with an annotation referencing the service account, and the controller will update it with a generated token.

Unfortunately, the original randomly named token is still in the system, and can not be removed.

So what happens when you try to delete it / invalidate it the way described here ?

It will be recreated instantly. To avoid this, first it have to be removed from serviceaccount.secrests list. But it can not be complexly done via the yaml file. Or is there some api transaction that can be used during the config application?

EDIT:

There are two solutions you may use to obtain your goal. When you edit the default ServiceAccount token it will become not valid any more and it won't be automatically recreated as in case when removing it:

1st is patching the token:

kubectl patch secret default-token-jrc6q -p '{"data":{"token": "c29tZW90aGVyc2hpdAo="}}'

2nd is editing it:

kubectl edit secret default-token-jrc6q  # and change token to any value you want