There are 3 ways to generate token to access kube API. The following assumes app-sa service account resource has a role and rolebinding associted to it.
- Generate a token on the fly:
kubectl create token app-sa - Create a secret. You can view the token inside the secret.
apiVersion: v1
kind: Secret
metadata:
name: app-sa-token
annotations:
kubernetes.io/service-account.name: app-sa
type: kubernetes.io/service-account-token- Mount a service account to the deployment/pod:
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
serviceAccountName: app-sa # assign the service account here; k8s mounts the token automatically
containers:
- name: my-app
image: your-imageWhat it looks like after k8s automatically mounts the service account to the pod. You can access token in the given path.
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-wp2rp
readOnly: true