search

kubernetes / website

Kubernetes website and documentation repo:
https://kubernetes.io
Creative Commons Attribution 4.0 International
4.5k stars 14.44k forks source link

Outdated default service account token secret instructions in "Access Clusters Using the Kubernetes API' page #45628

Open hrmcardle0 opened 7 months ago

hrmcardle0 commented 7 months ago

In the 'without kubectl proxy', the section on https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/:

Create a secret to hold a token for the default service account

kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: default-token annotations: kubernetes.io/service-account.name: default type: kubernetes.io/service-account-token EOF

This is apparently not a thing anymore since 1.22. I attempted it on v1.27 and despite there being no error message, the secret does not exist.

dipesh-rawat commented 7 months ago

Page mentioned in issue: https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/ /language en

dipesh-rawat commented 7 months ago

/retitle Outdated default service account token secret instructions in "Access Clusters Using the Kubernetes API' page

dipesh-rawat commented 7 months ago

/sig auth

sftim commented 7 months ago

/kind bug /triage accepted /priority backlog

MeenuyD commented 7 months ago

/assign

mrgiles commented 3 months ago

Hello @hrmcardle0. i've just tested the instructions on page https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/ with a 1.30 cluster and they seem to work...

kubectl version
Client Version: v1.30.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.0

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: default-token
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
EOF
secret/default-token created

kubectl get secret default-token
NAME            TYPE                                  DATA   AGE
default-token   kubernetes.io/service-account-token   3      3m50s

TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)

curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.18.0.2:6443"
    }
  ]
}%

Can you try again and provide the outputs of your commands? If these instructions still work, I think we could close this issue.

Thanks!