--- #FIXME(mattymo): Exclude built in secrets that were automatically rotated, #instead of filtering manually - name: Rotate Tokens | Get all serviceaccount tokens to expire shell: >- {{ bin_dir }}/kubectl get secrets --all-namespaces -o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{" "}{.type}{end}' | grep kubernetes.io/service-account-token | egrep 'default-token|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller' register: tokens_to_delete run_once: true - name: Rotate Tokens | Delete expired tokens command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}" with_items: "{{ tokens_to_delete.stdout_lines }}" run_once: true - name: Rotate Tokens | Delete pods in system namespace command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all" run_once: true