Path to Service Account Key files

Rancher 2.x
1

In upstream K8s, these exist by default (see service-account-* variables below - ref: https://jpweber.io/blog/a-look-at-tokenrequest-api/

Where (if at all) would the similar sa* files exist in Rancher (if at all) ? If not, what do I need to do to achieve this config. It’s a pre-requisite for Istio / SDS (see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
apiServer:
  extraArgs:
    service-account-signing-key-file: /etc/kubernetes/pki/sa.key ===> which file in rancher
    service-account-key-file: /etc/kubernetes/pki/sa.pub ===> which file in rancher
    service-account-issuer: api
    service-account-api-audiences: api,vault,factors
1 Like
2

Did you ever get an answer on how to do that. We are looking into installing istio 1.5 which requires that

3

I was able to enable that by modifying the cluster.yaml and adding

  kube-api:
      extra_args:
          service-account-issuer: "kubernetes.default.svc"
          service-account-signing-key-file: "/etc/kubernetes/ssl/kube-service-account-token-key.pem"
4

@Rick_Catania

is editing the cluster.yaml of the local cluster enough? Do you have to also save/load/restart something else?

5

I think I need to do this too… but I need to know how these key’s are distributed to nodes etc if we create any new workers?