Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

token expire work with watch client? #1381

Closed
FANHIDE opened this issue Oct 22, 2024 · 1 comment
Closed

token expire work with watch client? #1381

FANHIDE opened this issue Oct 22, 2024 · 1 comment

Comments

@FANHIDE
Copy link

FANHIDE commented Oct 22, 2024

We are using Go Kubernetes client . Recently we have some token expiration issue for some deployment running for more than 1 years.

Calico issue: projectcalico/calico#5910
Java-client issue: fabric8io/kubernetes-client#4264

This is because K8s had some change for service account token renew
Since k8s 1.21, service account tokens have an lifespan of one hour (short-lived & rotation). The token expiration is 365 days actually.

I am wondering for GO client code with watch client? watch client will renew the token? or get 401 to renew the token?

@liggitt
Copy link
Member

liggitt commented Oct 22, 2024

When a client-go client is constructed pointing at a token file (as the default in-cluster config does), it re-reads that token once a minute:

// NewCachedFileTokenSource returns a resettable token source which reads a
// token from a file at a specified path and periodically reloads it.
func NewCachedFileTokenSource(path string) *cachingTokenSource {

As long as the token on disk is refreshed at least a minute prior to expiration (which the kubelet automatically handles for tokens injected into pods), the client re-reads a refreshed token and starts using it for requests without being interrupted.

Requests are only authenticated when they are initialized, so if a single request lives longer than the token lifetime (like a watch request), the token expiration does not cause any issues.

@liggitt liggitt closed this as completed Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants