Backup and restore a Kubernetes Serviceaccount Token

2
votes

does anyone know if there is a way to back up and restore a Serviceaccount in Kubernetes that always has the same token? We use service account tokens quite often (for example when they act as an oauth client in Openshift), and it would be nice if we could reproduce a Serviceaccount to have the same token in the event it's deleted.

I noticed that there is a way to manually create a service account token as described here. But, as far as I know this method will still auto generate the secret contents.

1
kubernetesjwtopenshift
Knowing of the token that was used before, just edit one of your ServiceAccount token Secrets and reset its value (base64-encoded, if editing the .data of your Secret, or remove the .data and add a stringData). Then again, token are meant to rotate. Being able to force one doesn't mean you should.SYN

1 Answers

3
votes

Fundamentally ability to reproduce a new serviceaccount to have the same old token poses security risk.

Ideally you should be taking periodic backup of ETCD which would have the secret token as well along with all other kubernetes resources. In case of unforeseen disaster you can restore ETCD from the backup and you will get back the secret token. You can use valero for the backup of the kubernetes cluster resources as well.