-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix #2271: Refresh token every minute #4264
Conversation
Kudos, SonarCloud Quality Gate passed! |
@manusa Would it be possible to get a review on this work? |
Yes, this is the next one going in, should be out in next 6.1.0 (with maybe some follow-ups too) |
I think this is more of a brute force approach to refresh service account token. Could we attempt to test for recommended |
Signed-off-by: Marc Nuri <[email protected]>
Signed-off-by: Marc Nuri <[email protected]>
thread continues here: #2271 (comment) |
Description
Should address #2271.
Platforms such as Amazon EKS since 1.21 rely on
BoundServiceAccountTokenVolume
to have time-limited access tokens. It is expected from kubernetes client implementations to refresh the configuration periodically to get a new token.From kubernetes 1.21 release notes
Prior work from #3105 addressed it once the token expired, however it doesn't address the current situation where the token is actually valid for 90 days, but expected to be refreshed at least every hour. This triggers audit logs events in AWS which can lead users to think their client will break once the token really expires.
This introduces a proactive aproach of refreshing the token from disk if the current token has been retrieved more than one minute ago.
For oidc implementation, I'm not knowledgeable enough to determine whether a more optimal solution could be implemented using some alternate validity timestamp.
Type of change
test, version modification, documentation, etc.)
Checklist