0

When I do kubectl get secret my-sa-token-lr928 -o yaml, there is a base64 string(JWT A) value for data.token. There are other fields too, like data.ca.crt in this returned secret.

When I use projected volume with source serviceAccountToken and read the file, there is another not-base64 string(JWT B).

cat /var/run/secrets/some.directory/serviceaccount/token

Why JWT A and JWT B strings are different? The most notable difference is in JWT B iss i.e my issuer url (--service-account-issuer) and in JWT A iss i.e my issuer url iskubernetes/serviceaccount`. Aren't they both JWT service account tokens? If not then what Kubernetes API object they actually represent?

Following is my Kubernetes Pod spec (edited for brevity)

apiVersion: v1
kind: Pod
metadata:
  annotations:
  labels:
    app: sample-app
  name: sample-pod-gwrcf
spec:
  containers:
    image: someImage
    name: sample-app-container
    resources: {}
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: my-sa-token-lr928
      readOnly: true
    - mountPath: /var/run/secrets/some.directory/serviceaccount
      name: good-token
      readOnly: true
  serviceAccount: my-sa
  serviceAccountName: my-sa
  terminationGracePeriodSeconds: 30
  volumes:
  - name: good-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: my.audience.com
          expirationSeconds: 86400
          path: token
  - name: my-sa-token-lr928
    secret:
      defaultMode: 420
      secretName: my-sa-token-lr928
Prashant Singh Rathore
  • 309
  • 5
  • 17

1 Answers1

0

Aren't they both JWT service account tokens?

Yes, they are both JWT tokens.

The one you mentined as JWT A in my-sa-token-lr928 is base64 encoded as all data in every kubernetes secret.

When k8s is mounting a secret data to a pod, this data is being decoded and stored e.g. as a token file in this case.

JWT B token using Service Account Token Volume Projection is issued by kubelet and allows you for more flexibility, for example setting expiration time in contrast to Regular Service Account Tokens which once issued stays the same (unless recreated) and does not expire.

If you exec to your pod and lookup the content of these tokens what you will see are an actual JWT tokens. You can decode the data from this tokens using any jwt decoder e.g. jwt.io.

Why JWT A and JWT B strings are different?

Because they contain different data.

Matt
  • 7,419
  • 1
  • 11
  • 22
  • Shouldn't data be the same if both of them are service-account token? – Prashant Singh Rathore Apr 17 '20 at 15:49
  • Not necessarily, As I already mentioned "Service Account Token Volume Projection" contains additional fields. – Matt Apr 21 '20 at 10:19
  • Also take a look at [Service Account Volumes proposal](https://github.com/kubernetes/community/blob/e3a6b8172fec9506b15520549e52be683e30cbfb/contributors/design-proposals/storage/svcacct-token-volume-source.md) which references to [new token design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md) – Matt Apr 21 '20 at 11:20