Open puneetsingh23 opened 1 year ago
Starting with k8s 1.24 service accounts no longer have the default, long lasting, token created. The tools need to be updated to create the token separately. I am getting the same error on EKS 1.24
got similar error:
Getting token for service account ... Creating Kubeconfig failed, exiting Unable to obtain token for service account. Check you have access to the service account created. Get secret failed: error: resource name may not be empty exit status 1
running on EKS: 1.25
I found a partial solution here https://docs.armory.io/continuous-deployment/armory-admin/manual-service-account/ , but it does not take into account k8s 1.24 changes to long-lasting tokens. My solution was to create the namespace + SA + ClusterRoleBinding + long-lasting token.
apiVersion: v1
kind: Namespace
metadata:
name: spinnaker
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spinnaker-service-account
namespace: spinnaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spinnaker-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: spinnaker-service-account
namespace: spinnaker
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: spinnaker-service-account-token
namespace: spinnaker
annotations:
kubernetes.io/service-account.name: "spinnaker-service-account"
And the run the bellow script.
# Update these to match your environment
SERVICE_ACCOUNT_NAME=spinnaker-service-account
CONTEXT=$(kubectl config current-context)
NAMESPACE=spinnaker
NEW_CONTEXT=spinnaker
KUBECONFIG_FILE="kubeconfig-sa"
SECRET_NAME=spinnaker-service-account-token
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
--context ${CONTEXT} \
--namespace ${NAMESPACE} \
-o jsonpath='{.data.token}')
TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
rename-context ${CONTEXT} ${NEW_CONTEXT}
# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
--token ${TOKEN}
# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
view --flatten --minify > ${KUBECONFIG_FILE}
# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp
This will generate a new kube config file using the Service Accounts token, just like spinnaker-tools used to do.
Thank you for the sharing Radu. Appreciate the help.
cd ~/environment/spinnaker-tools ./spinnaker-tools create-service-account --kubeconfig ${SOURCE_KUBECONFIG} --context ${CONTEXT} --output ${DEST_KUBECONFIG} --namespace ${SPINNAKER_NAMESPACE} --service-account-name ${SPINNAKER_SERVICE_ACCOUNT_NAME}
errror: Using kubeconfig file
/home/ec2-user/.kube/config
Using provided context {arn:aws:eks:us-east-1:xxxxxxxxxxxxxcluster/test-eksctl arn:aws:eks:us-east-1:xxxxxxxxxxx:cluster/test-eksctl} Getting namespaces ... Creating service account spinnaker-ws-sa ... Created ServiceAccount spinnaker-ws-sa in namespace spinnaker Adding cluster-admin binding to service account spinnaker-ws-sa ... Created ClusterRoleBinding spinnaker-spinnaker-ws-sa-admin in namespace spinnaker Getting token for service account ... Creating Kubeconfig failed, exiting Unable to obtain token for service account. Check you have access to the service account created. Get secret failed: error: resource name may not be empty exit status 1