-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.14
-
None
-
No
-
False
-
-
NA
-
Release Note Not Required
-
In Progress
This is a clone of issue OCPBUGS-16814. The following is the description of the original issue:
—
Description of problem:
Starting OpenShift 4.8 (https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html#ocp-4-8-notable-technical-changes), all pods are getting bound SA tokens. Currently, instead of expiring the token, we use the `service-account-extend-token-expiration` that extends a bound token validity to 1yr and warns in case of a use of a token that would've otherwise been expired. We want to disable this behavior in a future OpenShift release, which would break the OpenShift web console.
Version-Release number of selected component (if applicable):
4.8 - 4.14
How reproducible:
100%
Steps to Reproduce:
1. install a fresh cluster 2. wait ~1hr since console pods were deployed for the token rotation to occur 3. log in to the console and click around 4. check the kube-apiserver audit logs events for the "authentication.k8s.io/stale-token" annotation
Actual results:
many occurrences (I doubt I'll be able to upload a text file so I'll show a few audit events in the first comment.
Expected results:
The web-console re-reads the SA token regularly so that it never uses an expired token
Additional info:
In a theoretical case where a console pod lasts for a year, it's going to break and won't be able to authenticate to the kube-apiserver. We are planning on disallowing the use of stale tokens in a future release and we need to make sure that the core platform is not broken so that the metrics we collect from the clusters in the wild are not polluted.
- clones
-
OCPBUGS-16814 The web console's JS client is using stale tokens
- Closed
- is blocked by
-
OCPBUGS-16814 The web console's JS client is using stale tokens
- Closed
- links to
-
RHSA-2023:7198 OpenShift Container Platform 4.15 security update