Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix stale serviceaccount tokens #8

Merged
merged 1 commit into from
May 19, 2022
Merged

Conversation

michelesr
Copy link

Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.

Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.
@michelesr michelesr requested review from zhelyan and ruthwells May 18, 2022 14:49
Copy link

@ruthwells ruthwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refreshing every minute seems a lot for a token that lasts an hour, but if you already have a loop that runs every minute, and there are no adverse overheads from running this frequently it seems reasonable to use it.

@michelesr michelesr merged commit 7a87f63 into master May 19, 2022
@michelesr michelesr deleted the fix/stale-serviceaccount-token branch May 19, 2022 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants