Skip to content

ServiceAccount token signature is invalid #3943

New issue
New issue
Open
Open
ServiceAccount token signature is invalid#3943
Labels
kind/bugCategorizes issue or PR as related to a bug.
@ciiiii

Description

@ciiiii
ciiiii
opened on May 31, 2025

What happened:
Parse ServiceAccount token with jwt.io, which shows the signature is invalid

example token: eyJhbGciOiJSUzI1NiIsImtpZCI6IktuSHVBbUNtbXFIOHRlZ203WGl2SUtoS3JNZlRLaFR3SV81MFN2T0xGemsifQ. eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzgwMjMzNjkyLCJpYXQiOjE3NDg2OTc2OTIsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiYmVmNjhkNWItZmM0Ny00MmExLTg3NjItMmNiMTkzMTQ4OTIyIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsIm5vZGUiOnsibmFtZSI6ImJhc2ljLWNvbnRyb2wtcGxhbmUiLCJ1aWQiOiJlMThmZTQ5Zi04ZWFlLTQ2NmEtYTNiZi04OTk5OWJiYmQwODAifSwicG9kIjp7Im5hbWUiOiJraW5kbmV0LWNyN3pwIiwidWlkIjoiNjVmYjE5MzItYzhmZS00YmU0LTliOGItNzZiMzEzODViMDlmIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJraW5kbmV0IiwidWlkIjoiMGZiNDAyNTEtOGU3Yi00MGFkLTk1MjYtMGRlMzAzNzM0NmY5In0sIndhcm5hZnRlciI6MTc0ODcwMTI5OX0sIm5iZiI6MTc0ODY5NzY5Miwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmtpbmRuZXQifQ. UcMQD8HK_nh4yMWwj01GyOQ_eF87VQb3bEgUwRFLyb3Ccbw8WFzx7LMMd_b2CiaVt1snJ-ghd6VTBZu3JgjuQEFeslXcrgBkJnArIr0eZ9Buihe6NYNIPgRqDJ9RxLYYC_jwLNrrOJMfciKUuKG5v-M4NPJ4tFpnzJPCVSYtUuv8IoVXtOK9vz3DiFeBVp8cRaYr569j6ijSUcHutaBFD6_rm21NkQOTbBXFHtaDLu3mUcUZ6x5ip3suKBXtVsOr9LHLMc2sremuYP8CHIreMQHmOBC79A1tlF2kvaq8xH0S4akfRueLzvfhWfnLDAbgrMelwrfwlLTtaGaUjrU5YQ

Image

What you expected to happen:

the token signaure should be valid

How to reproduce it (as minimally and precisely as possible):

  1. Create kind cluster with default configuration
  2. Get ServiceAccount token /var/run/secrets/kubernetes.io/serviceaccount/token from random Pod
  3. Parse the token with jwt.io or something like that

Anything else we need to know?:

Environment:

  • kind version: (use kind version): kind v0.27.0 go1.23.6 linux/arm64
  • Runtime info: (use docker info, podman info or nerdctl info) 
    Server: Docker Engine - Community
 Engine:
  Version:          28.2.2
  API version:      1.50 (minimum version 1.24)
  Go version:       go1.24.3
  Git commit:       45873be
  Built:            Fri May 30 12:07:29 2025
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
GitCommit:        de40ad0
  • OS (e.g. from /etc/os-release): Ubuntu 24.04.2 LTS
  • Kubernetes version: (use kubectl version): 
    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.31.6
  • Any proxies or other special environment settings

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions