3

How can I mount service account token, we are using a chart which doesn't support it and after a hour the chart is failing.

https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume ?

I understand that from 1.22.x its by default behavior of k8s

its BoundServiceAccountTokenVolume in the following link https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

Im referring to manually mounting the service account token.

Im talking about vectordev which doesnt support the https://vector.dev/docs/setup/installation/platforms/kubernetes/

update according to this post this is the way to do it on k8s 1.22.x please provide an example since im not sure how to make it work https://github.com/vectordotdev/vector/issues/8616#issuecomment-1010281331

PJEM
  • 557
  • 7
  • 33
  • As you say, this is the default behavior of recent versions of Kubernetes, which will place the token at `/var/run/secrets/kubernetes.io/serviceaccount`. What version of Kubernetes are you running? – larsks Jan 12 '22 at 13:51
  • @larsks - we are running 1.21.5 and plan to upgrade to 1.22.x, we need to mount the secret as suggest here, (we have the same issue) https://github.com/vectordotdev/vector/issues/8616#issuecomment-1010281331 , any example how we can do it will be very helpful – PJEM Jan 12 '22 at 15:10
  • With kubernetes 1.21.2 (`Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2",...`), if I set `serviceAccountName` in my pod manifest, I find the token mounted in the expected location. Since it seems to work for me I'm not sure what to suggest. – larsks Jan 13 '22 at 00:20

1 Answers1

3

There's no issue for Vector agent to access the token, but the token will now expire within an hour by default; compare to previous where it has no expiry. When the token has past the validity time, the agent application needs to reload the token from the mounted token volume (previously was a secret volume). The change is needed in the agent application to support this paradigm, not on K8s.

gohm'c
  • 13,492
  • 1
  • 9
  • 16
  • Thanks but as you can see here the suggestion is to manually do it, https://github.com/vectordotdev/vector/issues/8616#issuecomment-1010281331 , this is what I want to know how to do.... – PJEM Jan 17 '22 at 09:07
  • If you are referring to how to turn this feature off on cluster v1.21.x; append `BoundServiceAccountTokenVolume=false` to kube-apiserver and kube-controller-manager `--feature-gate` flag. However, you cannot turn this off if you are on managed cluster (eg. GKE etc). Other than this can you elaborate in details what do you mean by "...manually do it..."? – gohm'c Jan 17 '22 at 09:55
  • yes I did it for 1.21.5, we need to solve it somehow for 1.22.x and the suggestion is to do it manually – PJEM Jan 17 '22 at 12:16
  • BoundServiceAccountTokenVolume feature gate is [removed in v1.23](https://github.com/kubernetes/kubernetes/pull/101992). You may still turn this off for v1.22.x – gohm'c Jan 17 '22 at 14:20