others-How to disable auto loading the secret of service account in kubernetes?

Jun 17, 2021

1. Purpose

In this post, I would demo how to disable auto loading the secret of service account in kubernetes.

2. Environment

Kubernetes 1.18+

3. The solution

3.1 The problem

When we deploy a pod in kubernetes, we use this yaml:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis

But after deployment, when we inspect the pod, we get this yaml instead:

...
volumeMounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-xx9vz
...

Volumes:
  default-token-xx9vz:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-xx9vz
    Optional:    false

3.2 What happened?

When creating a Pod, Kubernetes automatically creates a service account Secret and automatically modifies your Pod to use this Secret. The service account token Secret contains credentials for accessing the API.

The automatic creation and use of API credentials can be disabled or overridden if desired. However, if all you need to do is securely access the API server, this is the recommended workflow.

See the ServiceAccount documentation for more information on how service accounts work. You can also check the automountServiceAccountToken field and the serviceAccountName field of the Pod for information on referencing service account from Pods.

3.3 How to disable the auto loading of the service account secret?

We can add automountServiceAccountToken to the yaml to avoid this:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  automountServiceAccountToken: false
  containers:
  - name: mypod
    image: redis

4. Summary

In this post, I tried to demonstrate how to disable the default autoloading of the secret of the service account in kubernetes pods.