TIL how to manually mount the Kubernetes service account token
By default, Kubernetes automatically injects credentials for the default
ServiceAccount into the pod. This token is used by applications running in the
pods to authenticate to the Kubernetes API server.
To disable this behaviour, set the following in the pod spec:
apiVersion: v1
kind: Pod
metadata:
name: foo-pod
spec:
serviceAccountName: foo-sa
automountServiceAccountToken: false
or in the specific serviceaccount manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: foo-sa
automountServiceAccountToken: false
If the application requires access to the API server, we can choose to manually (and safely) mount the token as read-only with token volume projection:
apiVersion: v1
kind: Pod
metadata:
name: foo-pod
spec:
containers:
- name: foo
...
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
volumes:
- name: serviceaccount-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace