Kubernetes1.21 BoundServiceAccountToken Support #561
Comments
wills-feng
changed the title
|
I am having the same issue, the fluentd image we deployed have the kubecilent(4.9.3) installed shown at here. And we are still getting the messages in AWS cloudwatch similarly like https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#identify-pods-using-stale-tokens |
Probably it doesn't mean this gem (kubeclient), it means https://github.com/kubernetes-client/ruby. TOKEN_REFRESH_PERIOD = 60 # 1 minuteBut it doesn't seem maintained well, last update is 1 year ago, and the latest gem version is 0.0.2 released at May 04, 2019.
|
|
So probably we need to implement this feature to kubeclient. |
It seems that it's already implemented (but not configured by default). When Lines 356 to 359 in 831e360 Probably we should set |
|
It's implemented on master branch, need to bring it to a releasable state and release 5.0... One silly task that I've been postponing is going over all the changes in master absent in v4.y branch and compiling a CHANGELOG... Anyone wants to help with that? |
|
[Or you could also backport token reloading to v4.y, but that's not trivial cherry-pick — master branch switched to Faraday (and the refresh relies on Faraday features), while v4.y uses rest-client... Given my limited time for kubeclient :-(, I'm not gonna do such a backport myself, moving forward to 5.0 seems more productive, but if somebody else wants to do it I'm happy to review.] |
|
@cben thanks for your reply. Do you have an estimated date for 5.0 release? |
|
Please see the following change: We made some tests and the issue still exists in |
|
Sorry, but I was wondering if there is an update or maybe even an ETA on this enhancement? Thanks. |
|
Released now in 4.10.0. |
We deployed Fluentd on eks1.21, recently we got an email notification that Fluentd is using stale token. In the email, it claimed Ruby Kubernetes client should have already taken this into account, but it seems not true in our environment. I have confirmed Fluentd is using the latest kubecilent(4.9.3).
AWS email attached below,
We have identified applications running in one or more of your Amazon EKS clusters that are not refreshing service account tokens. Applications making requests to Kubernetes API server with expired tokens will fail. You can resolve the issue by updating your application and its dependencies to use newer versions of Kubernetes client SDK that automatically refreshes the tokens.
What is the problem?
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature [1] to beta and enabled it by default. This feature improves security of service account tokens by requiring a one hour expiry time, over the previous default of no expiration. This means that applications that do not refetch service account tokens periodically will receive an HTTP 401 unauthorized error response on requests to Kubernetes API server with expired tokens. You can learn more about the BoundServiceAccountToken feature in EKS Kubernetes 1.21 release notes [2].
To enable a smooth migration of applications to the newer time-bound service account tokens, EKS v1.21+ extends the lifetime of service account tokens to 90 days. Applications on EKS v1.21+ clusters that make API server requests with tokens that are older than 90 days will receive an HTTP 401 unauthorized error response.
How can you resolve the issue?
To make the transition to time bound service account tokens easier, Kubernetes has updated the below official versions of client SDKs to automatically refetch tokens before the one hour expiration:
We recommend that you update your application and its dependencies to use one of the above client SDK versions if you are on an older version.
The text was updated successfully, but these errors were encountered: