Using service account tokens to connect with the API server

Processes that are run inside a container use service account tokens to communicate with the Kubernetes API server.

For more information about service accounts in Kubernetes, see Configure Service Accounts for Pods.

For services that run for a long duration of time, you can use service account tokens to configure kubectl, which allows access to the CLI for extended periods of time. You can connect to the Kubernetes API server by using the service account token.

There are two ways to obtain service account tokens:

• If a long-running service is created as a pod in your cluster, the service account token is mounted on the pod. You can use this service account token that is available in the pod to access the API server. For more information, see Obtaining the service account token from the pod.
• If a long-running service is not available inside your cluster, you can get the service account token by using kubectl and the user token that is available from the management console. For more information, see Obtaining the service account token by using kubectl.

Obtaining the service account token from the pod

A long-running service account is mounted in the /var/run/secrets/kubernetes.io/serviceaccount directory. The following three files are stored in this mounted directory:

• ca.crt - the certificate file that is needed for HTTPS access.
• namespace - the namespace scope of the associated token. In your product, non-admin users are authorized to access only the resources that are in their own namespace.

• token - the service account token that is used for authentication.

  Connecting with the Kubernetes API server

  The API service endpoint is kubernetes.default. The API service endpoint can also be obtained from the KUBERNETES_SERVICE_HOST environment variable.

To connect with the Kubernetes API server by using the service account token, run the following command:

curl --cacert ca.crt -H "Authorization: Bearer {token}" https://kubernetes.default/api/v1/pod/namespaces/{namespace}

Using the service account token with kubectl

If kubectl is installed in the pod, you can set kubectl to connect with the API server by running the following commands:

kubectl config set-cluster cfc --server=https://kubernetes.default --certificate-authority=ca.crt
kubectl config set-context cfc --cluster=cfc
kubectl config set-credentials user --token={token}
kubectl config set-context cfc --user=user
kubectl config use-context cfc

You can now use kubectl to access your cluster without a time limit for token expiry.

Obtaining the service account token by using kubectl

Complete the following steps to get the service account token by using kubectl:

1. Install kubectl in your cluster. For more information, see Installing the Kubernetes CLI (kubectl).

2. Get the service account token by using kubectl.

   1. Get information about your Kubernetes secret object. Secrets are used to store access credentials.

      kubectl get secret --namespace={namespace}
      

      Following is a sample output:

      NAME                  TYPE                                  DATA      AGE
      admin.registrykey     kubernetes.io/dockercfg               1         1h
      default-token-2mfqv   kubernetes.io/service-account-token   3         1h
      

   2. Get details of the service account token.

      kubectl get secret default-token-2mfqv --namespace={namespace} -o yaml
      

      Following is a sample output:

      apiVersion: v1
      data:
       ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVRENDQWppZ0F3SUJBZ0lKQUxSSHNCazBtblM4TUEwR0NTcUdTSWIzRFFFQkN3VUFNQjh4SFRBYkJnTlYKQkFNTUZERXlOeTR3TGpBdU1VQXhORGczTWprNU1EZ3lNQjRYRFRFM01ESXhOekF5TXpnd01sb1hEVEkzTURJeApOVEF5TXpnd01sb3dIekVkTUJzR0ExVUVBd3dVTVRJM0xqQXVNQzR4UURFME9EY3lPVGt3T0RJd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDMTUwZWxjRXZXUDBMVFZZK09jNTl4ZG9PUCtXb08Kd3BGNGRxaGpDSDdyZGtUcGVKSE1zeW0raU4wMWxBSjNsc2UvYjB0V2h5L1A5MVZpZmpjazFpaDBldDg0eUZLawpuQWFaNVF6clJxQjk2WGZ3VVVyUElZc0RjRlpzbnAwZUlZU0xJdEhSSHQ3dlY0R3hqbG1TLzlpMzBIcW5rTWJTCmtCbU0xWEp2ZXdjVkROdE55NUE3K1RhNmJWcmt5TlpPZFFjZTkzMk0yTGZ2bUFORzI2UTRtd0x1MlAxNnZGV3EKbkdDd055OVl3Y0k2YVhpQTFSVTNLdWR5d00zZzN2aU03UVMyMXRGbkh4RzJrcU5NNHVKdWZDYnNNZ1gwd1hNQgpuZWZzZ053K0p1b2VnZzFVcHd5RmQydjVyMEpQVkxBN0N1T1d6RzVtK0RrNWNlWExOaGVwMDhxUkFnTUJBQUdqCmdZNHdnWXN3SFFZRFZSME9CQllFRkxlV3ZDOThkZFJxQ2t0eGVla2t5bnY1aCtDSU1FOEdBMVVkSXdSSU1FYUEKRkxlV3ZDOThkZFJxQ2t0eGVla2t5bnY1aCtDSW9TT2tJVEFmTVIwd0d3WURWUVFEREJReE1qY3VNQzR3TGpGQQpNVFE0TnpJNU9UQTRNb0lKQUxSSHNCazBtblM4TUF3R0ExVWRFd1FGTUFNQkFmOHdDd1lEVlIwUEJBUURBZ0VHCk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2Z1ZTdQcVFFR2NMUitjQ2tJMXdISHR2ei9tZWJmNndqUHBqN0oKamV5TG5aeWVZMUVZeEJDWEJEYk9BaU5BRTh6aWQrcm1Fd0w5NndtOGFweUVnbEN6aDhmU1ZoZ1dtYmZKSUNQQQpTTGdFZ1ZjOFJDQk5OdjUwWTQ4L0NXWXFZL2pjZkxYQ1VOdVU5RXhQd1BKRE9jNHhFOFg1NHZDekxzZUF3ZnQ0CmlBS0R0QzZmS0FMNXZQL3RRbHBya2FuVC9zcEVackNZV2IyZXlkRjV4U1NMKzNUbVJTeXgvUkczd1FTWEtCT3cKVGdjaWxJdFQ1WlAwQ0V2WHI1OFBMRXZKMVE1TGZ2Q0w0bkliTEEzMmVucUQ4UlZkM01VbkgxSnFpLzU4VktLQgo4SFpBb1V2bkl2SG5SNGVVbnAwMXFWVFpsS21Xc0JtbjV3MkxaS1FWMEIvVzlnSFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
       namespace: ZGVmYXVsdA==
       token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE1tMW1jWFlpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJbVJtTkRReFl6WTVMV1kwWW1FdE1URmxOaTA0TVRVM0xUVXlOVFF3TURJeU5XSTFNeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuWlN4MTNtY3JPcEwteVFmQWtTV05Ja0VELUIxeTNnckJTREg0Z1lwMnNkb2FZNXBSaWMxc3hXWjRDb0M0YVlnN3pzc09oWHk0NDc5VTh6RTVmVmZ3eFdCSXVWUDVoTEJwWTFHOWhlMzZzSkw1dEpjY2dqSVZhaTFZcHUtQld0dERkRFhnUVZXSHZtQmt0STVPaG1GMTFoWFNqd05VUDhYb2NNY1lKMzZUcFZxbkZCLUZaZ1RnN2h5eWdoclN4MnZTTThHNWhPMWlEdXFFbGlrNTUzQy1razVMTGFnc01DRVpkblBKM2tFb0dzX3hoTVVsaDc3OEkweTMwV3FwYW9uOHBLS1I1NjIzMjd6eTdXNGY0UnJhc3VPSGZwUGE3SVE5cU1ub21fcWxBcWxDQ3lXVEkyV3dxQ09xdnNHUmdNUHJjemc3WnYzLWlXRktBaVc3ZU5VYnVR
      kind: Secret
      metadata:
       annotations:
         kubernetes.io/service-account.name: default
         kubernetes.io/service-account.uid: df441c69-f4ba-11e6-8157-525400225b53
       creationTimestamp: 2017-02-17T02:43:33Z
       name: default-token-2mfqv
       namespace: default
       resourceVersion: "37"
       selfLink: /api/v1/namespaces/default/secrets/default-token-2mfqv
       uid: df5f1109-f4ba-11e6-8157-525400225b53
      type: kubernetes.io/service-account-token
      

      Note: The token in the sample output is encoded in base64. You must decode the token and then set this token by using kubectl.

3. Decode and set the base64-encoded token.

   kubectl config set-credentials sa-user --token=$(kubectl get secret <secret_name> -o jsonpath={.data.token} | base64 -d)
   kubectl config set-context sa-context --user=sa-user
   

   In the command, <secret_name> is the name of your service account secret.

4. Connect to the API server.

   curl -k -H "Authorization:Bearer {token}" <API server URL>
   

You can now use kubectl to access your cluster without a time limit for token expiry.