Kubernetes SAT token as environment variable

Question

I have created a K8 service account token using following command;

kubectl create serviceaccount test-sat-account

I have deployment yaml for a dotnet service and I am importing the above token in a volume as below;

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: test-sat-account
      containers:
      - name: my-container
        image: ""
        imagePullPolicy: Always
        volumeMounts:
        - name: my-token
          mountPath: /var/run/secrets/tokens
        env:
        - name: SATToken
          value: ****<Can we Pass the SAT token here?>****
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
      volumes:
      - name: my-token
        projected:
          sources:
          - serviceAccountToken:
              path: my-token
              audience: test-audience

Now, instead of reading the token from the mountpath in the code, I want to pass the value of the token to an environment variable in the above yaml. Is it possible to do that? If yes, how?

score 3 · Accepted Answer · answered Jul 12 '23 at 19:49

Arrange for the token to be stored in a Secret resource:

apiVersion: v1
kind: Secret
metadata:
  name: test-sat-account-token
  annotations:
    kubernetes.io/service-account.name: test-sat-account
type: kubernetes.io/service-account-token

Now, use that Secret as the source for an environment value:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: test-sat-account
      containers:
      - name: my-container
        image: ""
        imagePullPolicy: Always
        env:
        - name: SATToken
          valueFrom:
            secretKeyRef:
              name: test-sat-account-token
              key: token
        ports:
        - name: http
          containerPort: 80
          protocol: TCP

Kubernetes SAT token as environment variable

1 Answers1