Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix stale serviceaccount tokens #8

Merged
merged 1 commit into from
May 19, 2022
Merged

Fix stale serviceaccount tokens #8

merged 1 commit into from
May 19, 2022

Conversation

michelesr
Copy link

Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.

@michelesr
Fix stale serviceaccount tokens
2d794f6 
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.
ruthwells
ruthwells approved these changes May 18, 2022
View reviewed changes
Copy link

@ruthwells ruthwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refreshing every minute seems a lot for a token that lasts an hour, but if you already have a loop that runs every minute, and there are no adverse overheads from running this frequently it seems reasonable to use it.

@michelesr michelesr merged commit 7a87f63 into master May 19, 2022
@michelesr michelesr deleted the fix/stale-serviceaccount-token branch May 19, 2022 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruthwells ruthwells ruthwells approved these changes

@zhelyan zhelyan zhelyan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michelesr @zhelyan @ruthwells