2

Not Able To Create Pod in Kubernetes Version: v1.10.0-beta.3

When I create pod on the master node I face the following error:

kubectl create -f ./nginx-rc.yaml

ERROR:
No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

  1. executed command : openssl genrsa -out /tmp/serviceaccount.ket 2048

  2. modified the /etc/kubernetes/apiserver file to add following :

    KUBE_API_ARGS="--service_account_key_file=/tmp/serviceaccount.key"

  3. modified the /etc/kubernetes/controller-manager and add following:

    KUBE_CONTROLLER_MANAGER_ARGS="--
service_account_private_key_file=/tmp/serviceaccount.key"

  4. restarted the Kubernetes but I face still the same error:

    No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

An another way remove SecurityContextDeny,ServiceAccount on apiservice before:

KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"

after:

KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,ResourceQuota"

still error:

No API token found for service account \"default\", retry after the token is automatically created and added to the service account\

How can I solve it?

PersianGulf
  • 2,845
  • 6
  • 47
  • 67
wwd
  • 21
  • 1
  • 2
  • Do you have problem with this pod only also for example for `kubectl run nginx --image=nginx`?Are you using google-kubernetes-engine? Because You cannot run pod on the master in the Google Cloud implementation and I do not think v1.10 is already available, I think you used a wrong tag. – GalloCedrone Mar 16 '18 at 16:35
  • Have you managed to find solution ? – Malgorzata Mar 22 '21 at 08:36

1 Answers1

0

I faced same issue, and followed following steps.

  1. Check the last section of following page and match --admission-control according to your Kubernetes version https://kubernetes.io/docs/admin/admission-controllers/
  2. Kube-Api server must have "--service-account-key-file" and it should point to the public key used by API server for authentication
  3. Kube-Controller must have "--service-account-private-key-file" and it should point to the private key used by API server for authentication
  4. Make sure API Server started first and then Controller service started and make sure Controller service is not throwing any error on startup.

Verify following things as well

  1. kubectl get serviceaccounts --> Output must show default account with one secret. enter image description here

  2. kubectl get secrets --> Output must have default token for service account enter image description here

  3. kubectl describe secrets/default-token-qxxw6 --> It must show ca.crt and token under Data section enter image description here

If nothing works then stop your cluster,s all services on Master and Nodes. Then remove clean ETCD DB, load your network configs to ETCD and start the cluster as a fresh cluster.

xs2rashid
  • 953
  • 12
  • 16
  • where I can find public and private key files? In my case kubectl get sa returns zero '0' secret keys. I also have created by " openssl genrsa -out /etc/kubernetes/serviceaccount.key 2048 " and associated it with respective files in apiserver and controller-manager files. but it doesn't seems working for me. – Kundan Atre Jun 06 '18 at 12:11