• When a ServiceAccount is created, no more Secret is created automatically
  • Pods still have a token inside by default belonging to their ServiceAccount
  • We can create tokens for ServiceAccounts: kubectl create token
  • We can create Secrets manually for ServiceAccounts

创建Sa不会自动创建Secret了。需要手动创建并关联
kubectl create sa sample-sa
查看
kubectl describe sa sample-sa

  1. Name:                liuhao
  2. Namespace:           default
  3. Labels:              <none>
  4. Annotations:         <none>
  5. Image pull secrets:  <none>
  6. Mountable secrets:   <none>
  7. Tokens:              <none>
  8. Events:              <none>

发现确实没有对应的token

这样创建Secret就 可以了

apiVersion: v1
kind: Secret
metadata:
  name: secret-sa-token
  annotations:
    kubernetes.io/service-account.name: "sample-sa"
type: kubernetes.io/service-account-token

再次查看就关联上了
kubectl describe sa sample-sa

Name:                liuhao
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              secret-sa-token
Events:              <none>

怎么查看token

kubectl describe secret secret-sa-token