-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: change the default bootstrap token TTL to 24 hours #48783
kubeadm: change the default bootstrap token TTL to 24 hours #48783
Conversation
Hi @mattmoyer. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/ok-to-test |
// Default behaviour is "never expire" == 0 | ||
DefaultTokenDuration = 0 | ||
// Default behaviour is 2 hours | ||
DefaultTokenDuration = 2 * time.Hour |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you said this have possibility to break existing users, @luxas Do we have any rollout plan to avoid this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inform users very well I suppose
@mattmoyer Please cc me on kubeadm PRs so it's easier for me to notice ;) @jbeda @mattmoyer Could we make this a day (24 hrs) instead? |
7b5f534
to
59f9841
Compare
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL. The actual default change is in kubernetes#48783. This change is separate so we can cherry pick the warning into the release-1.7 branch.
/lgtm Thanks @mattmoyer! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luxas, mattmoyer Associated issue: 343 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090) |
…t-token-ttl-warning Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090) kubeadm: add a warning about the default token TTL changing in 1.8 **What this PR does / why we need it**: This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL. The actual default change is in kubernetes#48783. This change is separate so we can cherry pick the warning into the `release-1.7` branch. **Which issue this PR fixes**: ref kubernetes/kubeadm#343 **Special notes for your reviewer**: This change is blocked on kubernetes/kubeadm#343. These warnings should probably be removed in the 1.9 cycle. **Release note**: ```release-note Add a runtime warning about the kubeadm default token TTL changes in 1.8. ``` /assign @luxas
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL. The actual default change is in kubernetes#48783. This change is separate so we can cherry pick the warning into the release-1.7 branch.
This was broken because the API machinery defaulting mechanism couldn't differentiate between an unset value (which should default to 24 hours) and a value explicitly set to 0 (which should mean infinite). The fix is to change `TokenTTL` from a `metav1.Duration` to `*metav1.Duration` so that `nil` can represent the unspecified value. This bug was introduced in kubernetes#48783.
This was broken because the API machinery defaulting mechanism couldn't differentiate between an unset value (which should default to 24 hours) and a value explicitly set to 0 (which should mean infinite). The fix is to change `TokenTTL` from a `metav1.Duration` to `*metav1.Duration` so that `nil` can represent the unspecified value. This bug was introduced in kubernetes#48783.
This was broken because the API machinery defaulting mechanism couldn't differentiate between an unset value (which should default to 24 hours) and a value explicitly set to 0 (which should mean infinite). The fix is to change `TokenTTL` from a `metav1.Duration` to `*metav1.Duration` so that `nil` can represent the unspecified value. This bug was introduced in kubernetes#48783.
This was broken because the API machinery defaulting mechanism couldn't differentiate between an unset value (which should default to 24 hours) and a value explicitly set to 0 (which should mean infinite). The fix is to change `TokenTTL` from a `metav1.Duration` to `*metav1.Duration` so that `nil` can represent the unspecified value. This bug was introduced in kubernetes#48783.
What this PR does / why we need it:
This PR changes the TTL for the default bootstrap token generated by
kubeadm init
(without the--token-ttl
parameter) andkubeadm token create
(without the--ttl
flag). Previously, the default TTL was infinite. After this change it is 24 hours.The reasoning for 2 hours as a default is that it's 1) long enough that someone manually using kubeadm (copy-pasting) shouldn't have any issues and 2) short enough that if something is going to break, it should break while the user/admin is still paying attention to the cluster. I'm open to bikeshedding about the exact value, 2 hours is a bit of a strawman.Edit: updated this to 24 hours instead of 2 hours.
This is a breaking change if you rely on infinite TTL tokens (e.g., if you had an ASG group of worker nodes). The old behavior is easily restored by passing
--token-ttl 0
tokubeadm init
or the--ttl 0
flag tokubeadm token create
.Which issue this PR fixes: fixes kubernetes/kubeadm#343
Special notes for your reviewer:
This was discussed earlier today in SIG-cluster-lifecycle
Release note:
cc @jbeda