Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring

Question

when i run this code public class test2 {

public static void main(String[] args) {
    // TODO Auto-generated method stub


      String podName = "xrdpprocan";
      String namespace = "default";
      String master = "https://my_ip_adress"; 

      Config config = new ConfigBuilder().withMasterUrl(master).withTrustCerts(true).build();
      try (final KubernetesClient client = new DefaultKubernetesClient(config)) {

        String log = client.pods().inNamespace(namespace).withName(podName).getLog(true);
        System.out.println("Log of pod " + podName + " in " + namespace + " is:");
        System.out.println("------------------");
        System.out.println(log);

      } catch (KubernetesClientException e) {
       System.out.println(e.getMessage());
      }
}

i get this Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Answer 1

Where is the problem: The current type of your client configuration is incomplete, you are missing the client authentication settings/data part.

Please be aware, when you are running your code from outside the cluster (this type of client configuration is called out-of-cluster client configuration) you need to specify explicitly a bare minimum for successful connection to Kubernetes control-plane from outside.

1. Kubernetes Master URL
2. At least one method for user authentication, can be any of:

• client certificates
• bearer tokens
• HTTP basic auth

You see the problem ? - you have specified none of these from the second condition for >> user << authentication (this is a key word here: user)

Right now Java Kubernetes client falls back into Service account based authentication strategy, thinking you are not human but robot (Pod running in context of Service Account).

Putting it technically, client is resolving now to the last resort option:

KUBERNETES_AUTH_TRYSERVICEACCOUNT

(4th on the list of fabric8io/kubernetes-client supported configuration option, check below)

which involves reading in service account token placed into the filesystem inside Pod's container at following path:

/var/run/secrets/kubernetes.io/serviceaccount/token

---

Officially fabric8io/kubernetes-client java client supports the following ways of configuring the client:

This will use settings from different sources in the following order of priority:

• System properties
• Environment variables
• Kube config file
• Service account token & mounted CA certificate <== you client code tries this

System properties are preferred over environment variables. The following system properties & environment variables can be used for configuration

The easiest solution is to rely on Kube config file option to access cluster from outside, e.g.:

public class KubeConfigFileClientExample {
  public static void main(String[] args) throws IOException, ApiException {

    // file path to your KubeConfig

    String kubeConfigPath = System.getenv("HOME") + "/.kube/config";

    // loading the out-of-cluster config, a kubeconfig from file-system
    ApiClient client =
        ClientBuilder.kubeconfig(KubeConfig.loadKubeConfig(new FileReader(kubeConfigPath))).build();

    // set the global default api-client to the in-cluster one from above
    Configuration.setDefaultApiClient(client);

    // the CoreV1Api loads default api-client from global configuration.
    CoreV1Api api = new CoreV1Api();

    // invokes the CoreV1Api client
    V1PodList list =
        api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null, null);
    for (V1Pod item : list.getItems()) {
      System.out.println(item.getMetadata().getName());
    }
  }
}

Full code sample can be found here.