-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use TokenRequest API instead of calico-nodes service account token fo…
…r CNI kubeconfig. With projected service account tokens in kubernetes, the service account tokens of pods are bound to the lifetime of the corresponding pod. Therefore, it may lead to problems if an external process re-uses the token of a pod. The CNI binaries used the token of calico-node. However, in case calico-node got stopped the corresponding token lost its validity and hence could no longer be used for CNI operations. Usually, this automatically resolves over time, but there are some edge cases where this is not possible, e.g. if calico-node is autoscaled in terms of resources and the new resource requests would require preemption/eviction of an existing pod the CNI operation to delete the network sandbox will fail due to the no longer valid token (as calico-node was stopped beforehand). This change switches over to using the TokenRequest API instead, i.e. creating new tokens with limited validity. It would have been good to bind the token to an object, e.g. to the corresponding node, but as of now only secret and pod are supported types for binding tokens. Hence, the tokens are only limited in time and not bound to any other kubernetes object.
- Loading branch information
Showing
6 changed files
with
233 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters