In Kubernetes 1.24, ServiceAccount token secrets are no longer automatically generated. See “Urgent Upgrade Notes” in the 1.24 changelog file:
The
LegacyServiceAccountTokenNoAutoGenerationfeature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang)
This means, in Kubernetes 1.24, you need to manually create the Secret; the token key in the data field will be automatically set for you.
apiVersion: v1
kind: Secret
metadata:
name: sa1-token
annotations:
kubernetes.io/service-account.name: sa1
type: kubernetes.io/service-account-token
Since you’re manually creating the Secret, you know its name: and don’t need to look it up in the ServiceAccount object.
This approach should work fine in earlier versions of Kubernetes too.