Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-33835

The service account does not refresh after VM migration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • CNV v4.17.0
    • None
    • CNV Virtualization
    • None
    • False
    • False
    • Release Notes
    • No
    • Hide
      OpenShift Virtualization links a service account token in use by a pod to that specific pod. OpenShift Virtualization implements a service account volume by creating a disk image that contains a token. If you migrate a VM, then the service account volume becomes invalid. (BZ#2037611)

      As a workaround, use user accounts rather than service accounts because user account tokens are not bound to a specific pod.
      Show
      OpenShift Virtualization links a service account token in use by a pod to that specific pod. OpenShift Virtualization implements a service account volume by creating a disk image that contains a token. If you migrate a VM, then the service account volume becomes invalid. (BZ#2037611) As a workaround, use user accounts rather than service accounts because user account tokens are not bound to a specific pod.
    • Known Issue
    • Done
    • Medium

      Description of problem:
      When we mount a service account to the VM and check the token inside the VM, it contains the name of the virt-launcher pod, however after the VM migration this name still shows the old virt-launcher pod, as the result token becomes useless.

      Version-Release number of selected component (if applicable):
      4.9.1

      How reproducible:
      Always

      Steps to Reproduce:
      1. Mount a service account to the VM
      2. Migrate the VM
      3. Check the token inside VM, the token has the field which shows the old virt-launcher pod

      Actual results:
      oc get pods
      NAME                         READY   STATUS      RESTARTS   AGE
      virt-launcher-xtbx02-7pnhq   0/1     Completed   0          18m
      virt-launcher-xtbx02-dmbbl   1/1     Running     0          3m18s

      The token after the migration:

      jwt:

      {
      "aud": [
      "https://kubernetes.default.svc"
      ],
      "exp": 1672934711,
      "iat": 1641398711,
      "iss": "https://kubernetes.default.svc",
      "kubernetes.io": {
      "namespace": "s-testbox-02",
      "pod": {
      "name": "virt-launcher-xtbx02-7pnhq", < -----------------------------
      "uid": "58ea2a5f-9794-433c-845b-76c69634752f"
      },
      "serviceaccount": {
      "name": "murphy",
      "uid": "9cbdd2ea-4fc3-4ffc-a966-bb761ed4ba60"
      },
      "warnafter": 1641402318
      },
      "nbf": 1641398711,
      "sub": "system:serviceaccount:s-testbox-02:murphy"
      }

      Expected results:
      IT should reference to the virt-launcher-xtbx02-dmbbl 

      Additional info:

      As a workaround, a secret with the token can be mounted to the VM.

            jelejosne Jed Lejosne
            rhn-gps-mustafa MUSTAFA AYDIN
            Kedar Bidarkar Kedar Bidarkar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: