others-How to disable auto loading the secret of service account in kubernetes?
1. Purpose
In this post, I would demo how to disable auto loading the secret of service account in kubernetes.
2. Environment
- Kubernetes 1.18+
3. The solution
3.1 The problem
When we deploy a pod in kubernetes, we use this yaml:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
But after deployment, when we inspect the pod, we get this yaml instead:
...
volumeMounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-xx9vz
...
Volumes:
default-token-xx9vz:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-xx9vz
Optional: false
3.2 What happened?
When creating a Pod
, Kubernetes automatically creates a service account Secret and automatically modifies your Pod to use this Secret. The service account token Secret contains credentials for accessing the API.
The automatic creation and use of API credentials can be disabled or overridden if desired. However, if all you need to do is securely access the API server, this is the recommended workflow.
See the ServiceAccount documentation for more information on how service accounts work. You can also check the automountServiceAccountToken
field and the serviceAccountName
field of the Pod
for information on referencing service account from Pods.
3.3 How to disable the auto loading of the service account secret?
We can add automountServiceAccountToken
to the yaml to avoid this:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
automountServiceAccountToken: false
containers:
- name: mypod
image: redis
4. Summary
In this post, I tried to demonstrate how to disable the default autoloading of the secret of the service account in kubernetes pods.