Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16814

The web console's JS client is using stale tokens


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • 4.16.0
    • 4.14
    • Management Console
    • None
    • No
    • False
    • Hide



      Description of problem:

      Starting OpenShift 4.8 (https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html#ocp-4-8-notable-technical-changes), all pods are getting bound SA tokens.
      Currently, instead of expiring the token, we use the `service-account-extend-token-expiration` that extends a bound token validity to 1yr and warns in case of a use of a token that would've otherwise been expired.
      We want to disable this behavior in a future OpenShift release, which would break the OpenShift web console.

      Version-Release number of selected component (if applicable):

      4.8 - 4.14

      How reproducible:


      Steps to Reproduce:

      1. install a fresh cluster
      2. wait ~1hr since console pods were deployed for the token rotation to occur
      3. log in to the console and click around
      4. check the kube-apiserver audit logs events for the "authentication.k8s.io/stale-token" annotation

      Actual results:

      many occurrences (I doubt I'll be able to upload a text file so I'll show a few audit events in the first comment.

      Expected results:

      The web-console re-reads the SA token regularly so that it never uses an expired token

      Additional info:

      In a theoretical case where a console pod lasts for a year, it's going to break and won't be able to authenticate to the kube-apiserver.
      We are planning on disallowing the use of stale tokens in a future release and we need to make sure that the core platform is not broken so that the metrics we collect from the clusters in the wild are not polluted.

            jhadvig@redhat.com Jakub Hadvig
            slaznick@redhat.com Stanislav Láznička
            YaDan Pei YaDan Pei
            0 Vote for this issue
            6 Start watching this issue