Clone of https://github.com/openshift/origin/issues/7011 When logged in with a service account token, `oc logout` does not remove the token from the kubeconfig Example: ``` sh $ oc new-project my-project Now using project "my-project" on server "https://10.13.137.174:8443". $ oc sa new my-sa serviceaccount/my-sa $ oc login --token="$( oc sa get-token my-sa )" Logged into "https://10.13.137.174:8443" as "system:serviceaccount:my-project:my-sa" using the token provided. $ oc logout Error from server: oauthaccesstokens "<snip>" not found $ oc whoami system:serviceaccount:my-project:my-sa ``` The token cannot be deleted via the API, but it should be removed from the kubeconfig.
Related PR: https://github.com/openshift/origin/pull/12962
Fixed in https://github.com/openshift/origin/pull/12962
This has been merged into ocp and is in OCP v3.5.0.34 or newer.
Verified in oc v3.5.0.34. $ oc create serviceaccount my-sa serviceaccount "my-sa" created $ oc login --token="$( oc sa get-token my-sa )" Logged into "https://<master>:8443" as "system:serviceaccount:xxia-proj:my-sa" using the token provided. $ oc logout Logged "system:serviceaccount:xxia-proj:my-sa" out on "https://<master>:8443" $ oc whoami Error from server (Forbidden): User "system:anonymous" cannot get users at the cluster scope From above result, oc logout can logout a serviceaccount token
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884