'k8s - how to project service account token into pod

I am trying to project the serviceAccount token into my pod as described in this k8s doc - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection.

I create a service account using below command

kubectl create sa acct

Then I create the pod

kind: Pod
apiVersion: v1
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: vault-token
  serviceAccountName: acct
  volumes:
  - name: vault-token
    projected:
      sources:
      - serviceAccountToken:
          path: vault-token
          expirationSeconds: 7200

It fails due to - MountVolume.SetUp failed for volume "vault-token" : failed to fetch token: the server could not find the requested resource

Events:
  Type     Reason       Age                   From               Message
  ----     ------       ----                  ----               -------
  Normal   Scheduled    5m15s                 default-scheduler  Successfully assigned default/nginx to minikube
  Warning  FailedMount  65s (x10 over 5m15s)  kubelet, minikube  MountVolume.SetUp failed for volume "vault-token" : failed to fetch token: the server could not find the requested resource

My minikube version: v0.33.1

kubectl version : 1.13

Question:

  • What am i doing wrong here?


Solution 1:[1]

I tried this on kubeadm, and was able to suceed. @Aman Juneja was right, you have to add the API flags as described in the documentation.

You can do that by creating the serviceaccount and then adding this flags to the kubeapi:

sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml

- --service-account-issuer=api
- --service-account-signing-key-file=/etc/kubernetes/pki/apiserver.key
- --service-account-api-audiences=api

After that apply your pod.yaml and it will work. As you will see in describe pod:

Volumes:
  vault-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)

[removed as not working solution]

unfortunately in my case my minikube did not want to start with this flags, it gets stuck on: waiting for pods: apiserver soon I will try to debug again.

UPDATE

Turns out you have to just pass the arguments into the minikube with directories from the inside of minikubeVM and not the outside as I did with previous example (so the .minikube directory), so it will look like this:

minikube start \
 --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/apiserver.key \
  --extra-config=apiserver.service-account-issuer=api \
  --extra-config=apiserver.service-account-api-audiences=api 

After that creating ServiceAccount and applying pod.yaml works.

Solution 2:[2]

you should use deployment since when you use deployment the token is automatically mounted into the pods.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 eran meiri