使用 kubectl create 没有服务帐户的字段管理器，但使用 kubectl apply

我在 CAPI 集群上创建一个空服务帐户

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot

使用 kubectl create 和 kubectl apply。

kubectl 创建

$ k get sa -oyaml --show-managed-fields
apiVersion: v1
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    creationTimestamp: "2024-01-24T15:11:24Z"
    name: build-robot
    namespace: default
    resourceVersion: "7337504"
    uid: e2414d28-d897-4099-ac5d-699c89835615
  secrets:
  - name: build-robot-token-77p6d 

kubectl 应用

$ k get sa -oyaml --show-managed-fields
apiVersion: v1
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"build-robot","namespace":"default"}}
    creationTimestamp: "2024-01-24T15:10:55Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:secrets:
          .: {}
          k:{"name":"build-robot-token-8rqgq"}: {}
      manager: kube-controller-manager
      operation: Update
      time: "2024-01-24T15:10:55Z"
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: "2024-01-24T15:10:55Z"
    name: build-robot
    namespace: default
    resourceVersion: "7337399"
    uid: 0bac2513-844f-4526-b374-3642bdf26838
  secrets:
  - name: build-robot-token-8rqgq 

“kubectl apply”服务帐户通过

kube-controller-manager

获得托管字段（秘密），而“kubectl create”服务帐户则不受托管。我不明白这个。

我用吊舱尝试了同样的实验。两种情况下的所有托管字段都是相同的（除了我期望不同的字段，例如

last-applied-configuration

）。

kubectl create sa build-robot --save-config=true