Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refreshing service account tokens for cluster #9417

Closed
junjunjunk opened this issue May 16, 2022 · 5 comments
Closed

Refreshing service account tokens for cluster #9417

junjunjunk opened this issue May 16, 2022 · 5 comments
Labels
enhancement New feature or request

Comments

@junjunjunk
Copy link

Summary

EKS cluster has new feature "Bound Service Account Token Volume".
And then, we need to refresh serviceaccount token at least once an hour for the feature.

Motivation

The "Bound Service Account Token Volume" is graduated to stable and enabled by default in Kubernetes version 1.22.
https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
This feature makes service account tokens now have an expiration of one hour. Even if, they didn't have an expiration in previous Kubernetes versions.

And then, argo cd uses serviceaccount & token for access&request to the cluster.
https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_cluster_add/

Proposal

Implement feature which, refresh serviceaccount token.
@junjunjunk junjunjunk added the enhancement New feature or request label May 16, 2022
@logamanig
Copy link

Hi @junjunjunk , the ticket is closed after marking as enhancement. is this enhancement implemented already and what is the min. version that has this enhancement? we are planning to upgrade our eks to v1.22, will this affect argocd with remote clusters? much appreciated your response on this!!

@logamanig
Copy link

logamanig commented Jun 22, 2022
edited
Loading

Hi @junjunjunk , the ticket is closed after marking as enhancement. is this enhancement implemented already and what is the min. version that has this enhancement? we are planning to upgrade our eks to v1.22, will this affect argocd with remote clusters? much appreciated your response on this!!

Could anyone advise me on this, pls?

@junjunjunk
Copy link
Author

@logamanig
Hi @logamanig.
Sorry I didn't notice the mentions.

is this enhancement implemented already and what is the min.

In conclusion, it has already been implemented.
I have not investigated the minimum version, but I am aware that the AWS documentation states that as long as ArgoCD use the kubernetes client SDK above a certain version, there is no problem.

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21

BoundServiceAccountTokenVolume graduated to beta and is enabled by default in Kubernetes version 1.21. This feature improves security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens now have an expiration of one hour. In previous Kubernetes versions, they didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following Kubernetes client SDKs refresh tokens automatically within the required time frame:

Go version 0.15.7 and later

Python version 12.0.0 and later

Java version 9.0.0 and later

JavaScript version 0.10.3 and later

Ruby master branch

Haskell version 0.3.0.0

C# version 7.0.5 and later

@logamanig
Copy link

Hi @junjunjunk , Thank you for your response!

@junjunjunk
Copy link
Author

In example, ArgoCD v2.3.5 uses SDK v0.23.1 as below.
So, No special handling is required.

argo-cd/go.mod

Line 82 in 1287d24

k8s.io/client-go v0.23.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@junjunjunk @logamanig