当前位置: 文江博客话题详情

在ServiceAccount中不会自动生成一个可安装的秘密和令牌

发布于 2025-02-06 23:02:37 字数 133 浏览 1 评论 0原文

我下载了Kubernetes与Jenkins集成并创建了ServiceAccount,但秘密并非自动创建。

过去,我记得自动创建了一个秘密,并在创建ServiceAccount时安装了令牌。

如何像以前一样自动创建一个秘密?

原文

I downloaded Kubernetes for integration with Jenkins and created a Serviceaccount, but the secret is not automatically created.

In the past, I remember that a Secret was automatically created and the Token was mounted when Serviceaccount was created.

How can I automatically create a Secret as before?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

黎歌 2025-02-13 23:02:37

如@P ....在Kubernetes版本1.24中所述,此行为已更改, legacyserviceaccounttokennoautogenation 默认情况下启用了1.24中的功能门。

包含服务帐户令牌的新秘密不再是自动生成的,并且在1.24+中的秘密中不会自动环境。现有的包含服务帐户令牌的秘密仍然可用。

API客户端从自动生成的秘密API对象刮擦令牌内容必须开始使用 tokenrequest api 获得令牌(首选,在所有受支持的版本中可用),或者,如果需要/需要一个基于秘密的令牌,则可以明确要求基于秘密的令牌。

请参阅手动创建服务帐户API令牌明确要求基于秘密的令牌。

As mentioned by @P.... In kubernetes version 1.24 this behaviour has been changed, the LegacyServiceAccountTokenNoAutoGeneration feature gate is enabled by default in 1.24.

New secrets containing service account tokens are no longer auto-generated and are not automatically ambient in secrets in 1.24+. Existing secrets containing service account tokens are still usable.

API clients scraping token content from auto-generated Secret API objects must start using the TokenRequest API to obtain a token (preferred, available in all supported versions), or you can explicitly request a secret-based token if a secret-based token is desired/needed.

Refer manually create a service account API token to explicitly request a secret-based token.

回复 原文
○闲身 2025-02-13 23:02:37

您可以将以下两个清单放入YAML文件中,并应用它们,也可以从命令行中进行操作:

$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-user
EOF


$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: jenkins-user-secret
  annotations:
    kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
EOF

在这里,我们有一个秘密,该秘密拥有证书和令牌:

$ kubectl get secret
NAME               TYPE                                  DATA   AGE
jenkins-user-secret   kubernetes.io/service-account-token   3      4s

You can put the below two manifests into YAML files and and apply them or you can do it from the command line like this:

$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-user
EOF


$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: jenkins-user-secret
  annotations:
    kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
EOF

Here we have a secret which holds a certificate and a token:

$ kubectl get secret
NAME               TYPE                                  DATA   AGE
jenkins-user-secret   kubernetes.io/service-account-token   3      4s
回复 原文
嗳卜坏 2025-02-13 23:02:37

上面的答案并不能完全恢复1.24前的行为,但是我发现以下确实可以恢复它。

apiVersion: v1
kind: Secret
metadata:
  name: jenkins-user-secret
  annotations:
    kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
automountServiceAccountToken: true
secrets:
  - name: jenkins-user-secret

这可以解决我以前在运行时看到的错误,

istioctl x create-remote-secret

这是在丢弃错误的

Error: could not get access token to read resources from local kube-apiserver: no secret found in the service account:

零件上丢失的零件正在配置服务帐户,以允许POD通过设置“秘密”列表来使用秘密。

The answers above do not completely restore the pre 1.24 behaviour, however I have found that the below does restore it.

apiVersion: v1
kind: Secret
metadata:
  name: jenkins-user-secret
  annotations:
    kubernetes.io/service-account.name: jenkins-user
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
automountServiceAccountToken: true
secrets:
  - name: jenkins-user-secret

This resolves the error I was previously seeing when running

istioctl x create-remote-secret

Which was throwing the error

Error: could not get access token to read resources from local kube-apiserver: no secret found in the service account:

The part missing in the answers above is configuring the service account to allow the secret to be used by pods by setting the "secrets" list.

回复 原文
忆离笙 2025-02-13 23:02:37

您可以使用选项automountserviceaccounttoken启用它:true

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
automountServiceAccountToken: true

else删除选项automountserviceaccounttoken,默认情况下它将创建秘密

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins

You can enabled it using the option automountServiceAccountToken: true

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
automountServiceAccountToken: true

else remove the option automountServiceAccountToken , by default it will create secret

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
回复 原文
~没有更多了~

关于作者

月亮邮递员

暂无简介

文章
评论
29 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

夢野间

文章 0 评论 0

百度③文鱼

文章 0 评论 0

小草泠泠

文章 0 评论 0

zhuwenyan

文章 0 评论 0

weirdo

文章 0 评论 0

坚持沉默

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文