New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explain life cycle of automatically created secrets in ServiceAccount #24928
Comments
I think this is what happens: token controller (pkg/controller/serviceaccount/tokens_controller.go) lists all the secrets referenced by a service account, and then follows those references to secrets, and checks each secret to see if it is a "service account token. A secret
So, if you happened to delete your serviceAccount (or your upgrade or startup script did, not sure what is happening) and then created one that is identical to the original one, then the new one would have a new uid, so the old secrets won't match, so the token controller will want to make a new one. I think if you check your system, you may see that each of your 3 secrets has a different value for annotation key I'm not sure what is the right thing to do here. Say the system deletes the secret while there are still pods that reference that secret. Things that could maybe go wrong:
|
What version of kubernetes was this cluster running? Prior to 1.2.0, there were conditions around startup or cache-relists where the token controller could accidentally create duplicate secrets. (fixed in #21706 and #22160)
the token controller removes service account token secrets which reference a service account name+uid that doesn't exist. older/newer doesn't matter |
cc @caesarxuchao @lavalamp @gmarek re. cascading deletion |
if that's the case, then @erictune's theory won't explain why there are 3 secrets, since the invalidated ones will be deleted by the token controller. Regarding cascading deletion, if the token controller sets the OwnerReference of the Secret to point to the ServiceAccount, then the garbage collector will delete the Secret when the ServiceAccount is deleted. There will be no need to note down the name and uid in the annotation. |
I'd like clarification about this statement:
I am guessing there were three secrets generated and added to the same service account, which is the bug fixed by the referenced PRs |
@liggitt yes i had 3 secrets and the 3 of them were listed in the would replacing the ServiceAccount that way cause this issue? After I deleted the secrets, the |
/sig docs |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Hello,
I faced this issue: #24829 with DNS, and it ended up being a problem with my ServiceAccount
secret
token that was invalid.I had 3 secrets in my
kube-system
ServiceAccount for some reason.I understand that when
secrets
are deleted, a new token is generated and associated with the ServiceAccount.I just don't understand how I ended up with 3 secrets, and how one (maybe 2?) was invalid.
apiserver
start? onkubelet
start?When invalidated, shouldn't these automatically generated tokens also be automatically removed from the ServiceAccount?
Thanks
The text was updated successfully, but these errors were encountered: