Service Account是运行pods用到的帐号，默认是default。如果apiserver启动配置--admission-control=ServiceAccount，Service Account就要生成Token才能启动pods或者连接apiserver进行操作。下面讲讲如何把默认Service Account（default）生成Token。

1，生成serviceaccount.key

openssl genrsa -out ./serviceaccount.key 2048

2，配置并重启controller-manager

vi /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=./serviceaccount.key"

3，创建secret.json

{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "default-secret",
"annotations": {
"kubernetes.io/service-account.name": "default"
}
},
"type": "kubernetes.io/service-account-token"
}
kubectl create -f ./secret.json
kubectl describe secret default-secret
执行上面命令生成secret/default-secret

4，Token生成成功

kubectl describe secret/default-secret
Name: default-secret
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=default
kubernetes.io/service-account.uid=0267460c-2902-11e8-a221-00163e088d17

Type: kubernetes.io/service-account-token

Data

namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMjY3NDYwYy0yOTAyLTExZTgtYTIyMS0wMDE2M2UwODhkMTciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWZhdWx0In0.UCRU7OnKMC1oaY4vRntWmsKBQasEKBDoGzxNdGdTGqhcO0JV-kOEXjms1h80vvtxPj7930LPkpvXOYnwiST1Z73zf4z7DrKlAYuF-TKwWncJyKbYwskS4nONeAzxpzWJO7YTGnQPZHOwORQ3UMtW5_G12vrB4t43Cig15-6wRLDU4S_evkUh4lQeesAf1Uncy4SuNxHbLdiA1UfFWOf9xNd1BuPpKZ4jOrUQ9El1dYEHdpXrDgV5s6Wp2GWpWtZnb1R-HEtlISAgqwi5tA_ZvQiS0oKFzacxaSzwKOzla4hhkY5B9W8Y62_g5AuMqCff5fDils8HyQE-M7qpNoFbSg
Token与Service Account关联成功

kubectl get Serviceaccount

NAME SECRETS AGE
default 1 24d
这配置可以解决创建rc或pod时报错，Error creating: No API token found for service account "default", retry after the token is automatically created and added to the service account

转载于:https://www.cnblogs.com/birdstudio/p/8780043.html