Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16814

The web console's JS client is using stale tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • 4.16.0
    • 4.14
    • Management Console
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Starting OpenShift 4.8 (https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html#ocp-4-8-notable-technical-changes), all pods are getting bound SA tokens.
      
      Currently, instead of expiring the token, we use the `service-account-extend-token-expiration` that extends a bound token validity to 1yr and warns in case of a use of a token that would've otherwise been expired.
      
      We want to disable this behavior in a future OpenShift release, which would break the OpenShift web console.
      

      Version-Release number of selected component (if applicable):

      4.8 - 4.14
      

      How reproducible:

      100%
      

      Steps to Reproduce:

      1. install a fresh cluster
      2. wait ~1hr since console pods were deployed for the token rotation to occur
      3. log in to the console and click around
      4. check the kube-apiserver audit logs events for the "authentication.k8s.io/stale-token" annotation
      

      Actual results:

      many occurrences (I doubt I'll be able to upload a text file so I'll show a few audit events in the first comment.
      

      Expected results:

      The web-console re-reads the SA token regularly so that it never uses an expired token
      

      Additional info:

      In a theoretical case where a console pod lasts for a year, it's going to break and won't be able to authenticate to the kube-apiserver.
      
      We are planning on disallowing the use of stale tokens in a future release and we need to make sure that the core platform is not broken so that the metrics we collect from the clusters in the wild are not polluted.
      

            jhadvig@redhat.com Jakub Hadvig
            slaznick@redhat.com Stanislav Láznička
            YaDan Pei YaDan Pei
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: