Instructions for obtaining Kubernetes service account token manually are incorrect

[liggitt]

Describe the bug

https://github.com/hashicorp/vault/blob/main/website/content/docs/auth/kubernetes.mdx describes how to obtain a Kubernetes service account token manually as:

kubectl get secret "$(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}')"

This is scraping an auto-generated token, rather than requesting one for external use. The auto-generated tokens are only intended for mounting into pods, and with the transition away from secret-based tokens in Kubernetes 1.22+, new secret-based tokens will no longer be auto-generated in future Kubernetes releases (planned starting in Kubernetes 1.24).

While use of secret-based tokens is discouraged due to their weaker security properties, if one is still needed, https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token has instructions for manually creating a secret to contain a long-lived token.

https://github.com/hashicorp/vault/blob/main/website/content/docs/auth/kubernetes.mdx should update to align with or reference those instructions.

[tomhjp]

Thanks for raising this - that's a great resource to link to. I agree on the security properties. I am half minded to remove the option altogether, especially now that we have support for auto-reloading projected tokens from 1.9.3. The only thing that gives me pause is the use-case when Vault is not running in the same Kubernetes cluster as the client. I think in most cases I would recommend using Kubernetes as an OIDC provider in that instance (and use Vault's JWT auth).

In any case, I've raised #13852 to address this, but there will probably also be some more updates to the structure/wording of that section in the near future.