403 unauthorized - BoundServiceAccountToken and token refresh support. #675
Comments
|
Looking at 1.17.0-rc1 release: Line 6 in 36bbafc suggests that the k8s api has been upgraded to v0.16.10 According to this https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21 The client needs to be at least v0.15.7 to refresh tokens, so upgrading your keel version to 1.17.0-rc1 should fix this. |
|
In case it helps anyone, the Keel image tag is image:
tag: 0.17.0-rc1Can review all available images here: https://hub.docker.com/r/keelhq/keel/tags |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kubernetes version 1.21 defaults to enabling the beta version of BoundServiceAccountTokenVolume by default. Service account tokens now have an expiration of one hour, which means that clients that rely on these tokens must refresh the tokens within an hour.
We've run into keel getting 403 API errors after the tweaked 90d refresh interval has expired on EKS. This was fixed by a Pod restart, thus extending the period to another 90d, but this is a hack that will become bothersome for those environments that use the default 1h period.
It looks like as if the Kubernetes client SDK for Go automatically refresh tokens within the required time frame, so supporting newer k8s versions might be a matter of upgrading the SDK.
Sample trace of the error once the refresh interval is up:
The text was updated successfully, but these errors were encountered: