Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Pod is using stale tokens #926

Closed
albertschwarzkopf opened this issue May 10, 2022 · 1 comment
Closed

Pod is using stale tokens #926

albertschwarzkopf opened this issue May 10, 2022 · 1 comment

Comments

@albertschwarzkopf
Copy link

Hi,

the "Bound Service Account Token Volume" is graduated to stable and enabled by default in Kubernetes version 1.22.
I am using "kubernetes-external-secrets:8.5.5" in AWS EKS 1.22 and I have checked, if it is using stale tokens (regarding https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html and https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#troubleshooting-boundservicetoken).

So when the API server receives requests with tokens that are older than one hour, then it annotates the pod with "annotations.authentication.k8s.io/stale-token". In my case I can see the following annotation. E.g.:

"annotations":{"authentication.k8s.io/stale-token":"subject: system:serviceaccount:kube-external-secrets:external-secrets-oidc, seconds after warning threshold: 424"

Version:

kubernetes-external-secrets:8.5.5

Cluster Details:

AWS EKS 1.22

Steps to reproduce issue

  • Enable EKS Audit Logs
  • Query CW Insights (select cluster log group):
fields @timestamp
| filter @message like /seconds after warning threshold/
| parse @message "subject: *, seconds after warning threshold:*\"" as subject, elapsedtime
@Flydiverny
Copy link
Member

See

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Flydiverny @albertschwarzkopf