-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project serviceAccountToken
volume expirationSeconds
is ignored and always produces a token with an expiry of ten years
#1579
Comments
I'm waiting for our customer to send over the versions - I'll add them to the issue once I've received them |
Potential dupe of #969 ? |
Hey @strideynet, thanks for opening the issues. Yeah, this issue is a duplicate of #969. As noted in the other issue, the implementation was initially done the same way as Kubernetes and has remained the same. Additionally, there would need to be a mechanism to store and load the token-regeneration dates, crons, or whatever the actual implementation may use, as a syncer restart should maintain this regeneration schedule. Since you already pointed out this issue's code location, could you create a PR to add the necessary changes? |
Unfortunately, since we don't use VCluster (although it looks neat!), it'll be difficult for me to carve out time to look at this. |
What happened?
When configuring a projected
serviceAccountVolume
volume you are usually able to set anexpirationSeconds
that controls the expiry time of the token e.gSee https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken for the Kubernetes side documentation of this.
When inspecting a token produced by this configuration within
vcluster
, we see that instead of producing an expiry of 600 seconds, one of 10 years is produced instead.This is problematic for two reasons:
This issue was reported by a customer of ourselves (Teleport) so I have limited details on the actual cluster configuration.
What did you expect to happen?
The
expirationSeconds
should be respected and used for the service account tokens expiry:How can we reproduce it (as minimally and precisely as possible)?
Add a Projected Service Account token to your PodSpec with a specified
expirationSeconds
and inspect the mounted JWTs expiry.Anything else we need to know?
This looks to be caused by a hardcoded value here:
vcluster/pkg/controllers/resources/pods/translate/translator.go
Line 480 in 0c001e9
Host cluster Kubernetes version
Host cluster Kubernetes distribution
vlcuster version
Vcluster Kubernetes distribution(k3s(default)), k8s, k0s)
OS and Arch
The text was updated successfully, but these errors were encountered: