-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description of problem:
When we mount a service account to the VM and check the token inside the VM, it contains the name of the virt-launcher pod, however after the VM migration this name still shows the old virt-launcher pod, as the result token becomes useless.
Version-Release number of selected component (if applicable):
4.9.1
How reproducible:
Always
Steps to Reproduce:
1. Mount a service account to the VM
2. Migrate the VM
3. Check the token inside VM, the token has the field which shows the old virt-launcher pod
Actual results:
oc get pods
NAME READY STATUS RESTARTS AGE
virt-launcher-xtbx02-7pnhq 0/1 Completed 0 18m
virt-launcher-xtbx02-dmbbl 1/1 Running 0 3m18s
The token after the migration:
jwt:
{
"aud": [
"https://kubernetes.default.svc"
],
"exp": 1672934711,
"iat": 1641398711,
"iss": "https://kubernetes.default.svc",
"kubernetes.io": {
"namespace": "s-testbox-02",
"pod": {
"name": "virt-launcher-xtbx02-7pnhq", < -----------------------------
"uid": "58ea2a5f-9794-433c-845b-76c69634752f"
},
"serviceaccount": {
"name": "murphy",
"uid": "9cbdd2ea-4fc3-4ffc-a966-bb761ed4ba60"
},
"warnafter": 1641402318
},
"nbf": 1641398711,
"sub": "system:serviceaccount:s-testbox-02:murphy"
}
Expected results:
IT should reference to the virt-launcher-xtbx02-dmbbl
Additional info:
As a workaround, a secret with the token can be mounted to the VM.
- clones
-
CNV-15619 [2037611] The service account does not refresh after VM migration
- Closed
- is blocked by
-
RHEL-71305 CNV virtiofsd integration ConfigMap/Secret/ServiceAccount/DownwardAPI
- In Progress