After the upgrade of the cluster from 4.14.17 to 4.15.28 customer sees that the almost all tokens in secrets for Service Accounts in kube-system namespace and in some others namespaces as well, were renewed/recreated.

Cluster admin created a SA and with that, the token secret was automatically created. Admin then collected the token and added it to the external application to access components in the cluster.

This causes huge impact as those SAs and their tokens are consumed by external applications to access the OpenShift components (kube-apiserver and others).

Per documentation [1] the secrets should not be changed.
"After upgrading to 4.15, any existing service account token secrets are not deleted and continue to function."

It creates a huge impact, where the external applications needs to be updated with the new tokens, causing disruption of services.

[1] https://docs.openshift.com/container-platform/4.15/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts

   4.15.28 

Create a custom SA in 4.14. Collect the token

    1.
    2.
    3.
    

    secrets and tokens were refreshed, causing that external application needs to be updated

    secrets should not be rotated, unless they are expired or deleted