In this post, I would demo how to disable auto loading the secret of service account in kubernetes.
- Kubernetes 1.18+
3. The solution
3.1 The problem
When we deploy a pod in kubernetes, we use this yaml:
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis
But after deployment, when we inspect the pod, we get this yaml instead:
... volumeMounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-xx9vz ... Volumes: default-token-xx9vz: Type: Secret (a volume populated by a Secret) SecretName: default-token-xx9vz Optional: false
3.2 What happened?
When creating a
Pod, Kubernetes automatically creates a service account Secret and automatically modifies your Pod to use this Secret. The service account token Secret contains credentials for accessing the API.
The automatic creation and use of API credentials can be disabled or overridden if desired. However, if all you need to do is securely access the API server, this is the recommended workflow.
See the ServiceAccount documentation for more information on how service accounts work. You can also check the
automountServiceAccountToken field and the
serviceAccountName field of the
Pod for information on referencing service account from Pods.
3.3 How to disable the auto loading of the service account secret?
We can add
automountServiceAccountToken to the yaml to avoid this:
apiVersion: v1 kind: Pod metadata: name: mypod spec: automountServiceAccountToken: false containers: - name: mypod image: redis
In this post, I tried to demonstrate how to disable the default autoloading of the secret of the service account in kubernetes pods.