How to regenerate Service Account tokens in Kubernetes

Table of Contents


At times Service Account tokens could be rendered invalid. This could be due to restoring etcd backups or regenerating CA certificates within your cluster.

This problem manifests in clients unable to authenticate against the Kubernetes API, for both pods within the cluster, or system components like the controller-manager or kube-proxy. A telling sign would be errors in these clients of the format connect: connection refused or within the Kubernetes API Server logs, showing a large number of clients failing TLS authentication.


With an admin kubeconfig sourced for the cluster facing issues, run the command below, to generate the list of kubectl commands required to delete all Service Account token secrets. After running the provided kubectl commands from the output, you will need to recreate pods, e.g. by deleting them, in order to regenerate the Service Account token.

kubectl get secret --all-namespaces | awk '{ if ($3 == "") print "kubectl -n", $1 " delete secret", $2 }'
Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.