How to disable creation of token secret creation while creating a service account in kubernetes?

2
votes

When I create a service account in Kubernetes with the following specification

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: deploy-bot

It automatically creates the following secret with prefix deploy-bot-token-XXXX

$ kubectl get secret

NAME                                                      TYPE                                  DATA   AGE
default-token-lvq79                                       kubernetes.io/service-account-token   3      60m
deploy-bot-token-7gmnh                                    kubernetes.io/service-account-token   3      4m53s

Is there a way via which we can disable the automatic creation of secret tokens while creating service accounts?

1
kubernetes
what will be the use of a service account if you dont want to create a secret associated with it ?confused genius
As best I can tell, deleting its token Secret will do what you want but there does not appear to be a way to do so cluster-wide, short of a mutating admission controllermdaniel
@confusedgenius, The reason for asking is that the token created has random suffixes, and I am creating an additional secret key via kubernetes.io/docs/reference/access-authn-authz/…. The reason why need to create an additional secret token with a deterministic name is that Cluster Pipelineresource of Tekton can utilize/refer it (Ref: kubernetes.io/docs/reference/access-authn-authz/…) and decrease attack surface by not creating default/automatic secret token.Anshul Patel

1 Answers

1
votes

You can achieve it by modifying kube-controller-manager options.

The flag to be passed to the controller is --controllers=-serviceaccount-token. It will disable creating token for service accounts.

spec:
  containers:
  - command:
    - kube-controller-manager
    - --controllers=-serviceaccount-token
 [...]

After this modification when you deploy your service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: deploy-bot

$ kubectl get sa
NAME         SECRETS   AGE
default      1         14m
deploy-bot   0         3s

and check the secrets created, you will notice that the secret has not been created:

$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-t4qnv   kubernetes.io/service-account-token   3      14m