Kubernetes Service Account如何生成Token

Service Account是运行pods用到的帐号，默认是default。如果apiserver启动配置--admission-control=ServiceAccount，Service Account就要生成Token才能启动pods或者连接apiserver进行操作。下面讲讲如何把默认Service Account（default）生成Token。

1，生成serviceaccount.key

openssl genrsa -out ./serviceaccount.key 2048

2，配置并重启controller-manager

vi /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=./serviceaccount.key"

3，创建secret.json

{
    "kind": "Secret",
    "apiVersion": "v1",
    "metadata": {
        "name": "default-secret",
        "annotations": {
            "kubernetes.io/service-account.name": "default"
        }
    },
    "type": "kubernetes.io/service-account-token"
}

kubectl create -f ./secret.json
kubectl describe secret default-secret

执行上面命令生成secret/default-secret

4，Token生成成功

kubectl describe secret/default-secret
Name:         default-secret
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=default
              kubernetes.io/service-account.uid=0267460c-2902-11e8-a221-00163e088d17

Type:  kubernetes.io/service-account-token

Data
====
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMjY3NDYwYy0yOTAyLTExZTgtYTIyMS0wMDE2M2UwODhkMTciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWZhdWx0In0.UCRU7OnKMC1oaY4vRntWmsKBQasEKBDoGzxNdGdTGqhcO0JV-kOEXjms1h80vvtxPj7930LPkpvXOYnwiST1Z73zf4z7DrKlAYuF-TKwWncJyKbYwskS4nONeAzxpzWJO7YTGnQPZHOwORQ3UMtW5_G12vrB4t43Cig15-6wRLDU4S_evkUh4lQeesAf1Uncy4SuNxHbLdiA1UfFWOf9xNd1BuPpKZ4jOrUQ9El1dYEHdpXrDgV5s6Wp2GWpWtZnb1R-HEtlISAgqwi5tA_ZvQiS0oKFzacxaSzwKOzla4hhkY5B9W8Y62_g5AuMqCff5fDils8HyQE-M7qpNoFbSg

 Token与Service Account关联成功

# kubectl get Serviceaccount
NAME      SECRETS   AGE
default   1         24d

这配置可以解决创建rc或pod时报错，Error creating: No API token found for service account "default", retry after the token is automatically created and added to the service account