We currently use the same key for signing service account tokens that we use for TLS:
kube-controller-manager:
--service-account-private-key-file=/etc/ssl/private/kubestagemaster.svc.codfw.wmnet.key
kube-apiserver:
--service-account-key-file=/etc/ssl/localcerts/kubestagemaster.svc.codfw.wmnet.crt \ --tls-cert-file=/etc/ssl/localcerts/kubestagemaster.svc.codfw.wmnet.crt \ --tls-private-key-file=/etc/ssl/private/kubestagemaster.svc.codfw.wmnet.key
This did bite us already when changing the TLS cert as that immediately invalidates all service account tokens (besides from the ones that are automatically created by the controller manager). kubeadm installed clusters do use a separate key for signing the service account tokens to have that uncoupled.
Further readings:
- https://kubernetes.io/docs/setup/best-practices/certificates/
- https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/