Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shorten re-read period for token files to work with ProjectedTokenVolumeSource #72437

Merged
merged 1 commit into from Jan 7, 2019

Conversation

@liggitt
Copy link
Member

liggitt commented Dec 30, 2018

What type of PR is this?
/kind bug

What this PR does / why we need it:
Fixes the token file cache period to be short enough to observe refreshed service account tokens before the original expires.

The original 5 minute window (actually 4 minutes because of the 1 minute leeway) could prevent reading a token refreshed 1 second after the last read and expiring 2 minutes later.

Does this PR introduce a user-facing change?:

client-go: shortens refresh period for token files to 1 minute to ensure auto-rotated projected service account tokens are read frequently enough.

/cc @mikedanese
/sig auth

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 30, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Dec 30, 2018

/retest

// refreshes a projected service account token and when the original token expires.
// Default token lifetime is 10 minutes, and the kubelet starts refreshing at 80% of lifetime.
// This should induce re-reading at a frequency that works with the token volume source.
period: time.Minute,

This comment has been minimized.

Copy link
@krmayankk

krmayankk Dec 30, 2018

Contributor
  • Does this period control the client-go reload of the token after it has been refreshed by the kubelet ?
  • Is it configurable ?
  • If yes to 1, isnt this dependent on the expirationSeconds in the projected volume ?

This comment has been minimized.

Copy link
@liggitt

liggitt Dec 30, 2018

Author Member

It does control the refresh period. It is not configurable. expirationSeconds must be at least 10 minutes

@mikedanese

This comment has been minimized.

Copy link
Member

mikedanese commented Jan 7, 2019

/lgtm
/shrug

@k8s-ci-robot k8s-ci-robot merged commit de4e1ce into kubernetes:master Jan 7, 2019
19 checks passed
19 checks passed
cla/linuxfoundation liggitt authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@liggitt liggitt deleted the liggitt:shorten-token-re-read branch Jan 8, 2019
k8s-ci-robot added a commit that referenced this pull request Jan 9, 2019
…7-upstream-release-1.13

Automated cherry pick of #72437: Shorten re-read period for token files to work with
k8s-ci-robot added a commit that referenced this pull request Jan 9, 2019
…7-upstream-release-1.12

Automated cherry pick of #72437: Shorten re-read period for token files to work with
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.