Service token file does not exists when using workload identity

Question

Service token file does not exists when using workload identity

ollyjshaw opened this issue 5 years ago · 7 comments

Hi,

We have a k8s service that connects to kubernetes to get some metrics. This has previously worked well using the load_incluster_config method.

We've recently switched to workload identity and this is no longer working, giving the error :

site-packages/kubernetes/config/incluster_config.py", line 64, in _load_config raise ConfigException("Service token file does not exists.")

This file does not exist, basically we've done automountServiceAccountToken: true

So, I realise this file won't exist. But I'm not sure of the recommended way to make incluster connections now.

Thanks in advance for any help / pointers.

Olly

Answer 1 · 2019-09-10T17:05:59.000Z

IIUC the token file was generated before, but no longer gets generated now? This sounds like an upstream change in Kubernetes. Could you check how client-go does in-cluster initialization recently? https://github.com/kubernetes/client-go/tree/master/examples/in-cluster-client-configuration

Answer 2 · 2019-11-19T13:38:38.000Z

@ollyjshaw Same problem here - did you make any progress? Thanks!

Answer 3 · 2019-11-19T13:47:18.000Z

@jtlz2 - sorry no.
In our case we were able to solve by sourcing some of this information elsewhere.
I'd still be interested in the progress of this though.

Answer 4 · 2020-02-17T13:49:33.000Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Answer 5 · 2020-02-18T19:03:38.000Z

/remove-lifecycle stale

I think I don't fully understand the question. What service account does your pod use? Could you share your pod spec? I'm not familiar with workload identity so I'm not sure if you're still using the default service account, or specify a different one.

This file does not exist, basically we've done automountServiceAccountToken: true

IIUC setting automountServiceAccountToken to true behaves the same as default-- the API credentials are automatically mounted to the pod, so I would expect the file to exist.

Answer 6 · 2020-04-02T07:50:17.000Z

@ollyjshaw Where else?

Answer 7 · 2020-04-02T08:15:15.000Z

@jtlz2 the information domain specific and we had what we needed in another data store somewhere outside of the K8s cluster

@roycaihw thanks for the feedback, my issue was specific to workload identity.
We've moved away from Workload Identity for a few other reasons too.
Working with service accounts etc is pretty straight forward as you say. We're doing more of that now.