Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: OSSM 2.4.0
Affects Version/s: None
Component/s: Customer Impact, Maistra
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False

Target Version:

OSSM 2.2.3, OSSM 2.3.1

SFDC Cases Links:
SFDC Cases Counter:

Description

Hi team,

Though the summary is about v2-0, I believe v2.2 still has the issue. The kubeconfig file that the istio-cni uses are generated by istio-cni-node Pod when it starts. The Pod if I understand correctly reads the token from /var/run/secrets/kubernetes.io/serviceaccount/token and writes it to the kubeconfig file. The problem is the token inside the kubeconfig file expires after one year, meaning the istio-cni-node has to be restarted every 365 days to generate a new token.

The token in kubeconfig file shows the exp timestamp points to the next year.

sh-4.4$ echo "eyJhbGciOiJSUzI1NiIsImtpZCI6InRON1lMZHFSakw1bTA4NG5pSmtYempMR0YtX19LY0hybkxjNlpWX3pUYXcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY5ODY2NTk4NCwiaWF0IjoxNjY3MTI5OTg0LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Im9wZW5zaGlmdC1vcGVyYXRvcnMiLCJwb2QiOnsibmFtZSI6ImlzdGlvLWNuaS1ub2RlLXZucXZwIiwidWlkIjoiMzQ5MjNiNjMtYjQ0My00MWY3LWIwZDktMGZiNTRkNTc3ZDMzIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJpc3Rpby1jbmkiLCJ1aWQiOiI2MTY5ZTY5Yy1lNzllLTRmZmItYTE1Mi00Njc2ZWYzOTdmMzIifSwid2FybmFmdGVyIjoxNjY3MTMzNTkxfSwibmJmIjoxNjY3MTI5OTg0LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LW9wZXJhdG9yczppc3Rpby1jbmkifQ.Xex0a0_TCZ3-gRXAC52vOQ0n44jGHJpG3IL940TxzYn-uTyWyLl0uS2EG7iPDeqdZNCvOLefd9a28fnO6FtN4LQFm94bm3bUAJDDneZXHAsoP2S0zFVxIbrpaDPWcB00kdKhzMMxs2Zhu6SmT6XSG7-tfQQ2CP8yHbUJ0byh2ThJy5OX_f-FgLM4GiOER7G_g_pb0VYaIVss0dvD9bzk1Ut9bo7VqAYccWynzE_0f0ozV3KdOgqIwvZrQMJCDkexzV71EE4dFt9JWVjtpfM_sTc_QtiZ3tQJXvyVI5aFai9UjicPJBCCIdVyb3HSBNDeNpJn8yewmVQfkI8DHi1FPZ0w-sfPYssKg6UkUlyIyc2MW1dLAswIZOaGp4GBNJYqaHy4Q3fJrIUJ49jzLEfqZqhWH9SgHRGqFkkuC-rR6aixAJyoBoX18WvOMtyDW2KfrD52Jy2cJIBwoHnWw6W304_BavkTW97ovnTFcT6OlypT_PNJdt34mWxjIpAYfOZPuEXUqE_7F9pIqu8Awtw3iq9omUJ30-V5-sadhN8oSnU7VRwKLJirDZGf3WK2qJDx-emkLyLzfVlMKKyyY20oOFKFiF5RPp5WdT6bHZdseQYWzhwdXBWTAFDWinx8dhEBqLUYub7Pu2-bAMN9ecnKu2VkfMC5czMbch9pIwHrSDo" | cut -d. -f2 | base64 -d 2>/dev/null | jq
{
  "aud": [
    "https://kubernetes.default.svc"
  ],
  "exp": 1698665984,
  "iat": 1667129984,
  "iss": "https://kubernetes.default.svc",
  "kubernetes.io": {
    "namespace": "openshift-operators",
    "pod": {
      "name": "istio-cni-node-vnqvp",
      "uid": "34923b63-b443-41f7-b0d9-0fb54d577d33"
    },
    "serviceaccount": {
      "name": "istio-cni",
      "uid": "6169e69c-e79e-4ffb-a152-4676ef397f32"
    },
    "warnafter": 1667133591
  },
  "nbf": 1667129984,
  "sub": "system:serviceaccount:openshift-operators:istio-cni"
}

I think somewhere in the docs we need to warn the customer about this behavior otherwise the inject: true Pod will run into a such a problem:

(combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_test-pod(id): error adding pod test-pod to CNI network \"multus-cni-network\": [test/test-pod:v2-0-istio-cni]: error adding container to network \"v2-0-istio-cni\": Unauthorized

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Chen Chen

Contributors:: Dylan Monroe (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2022/10/31 11:49 AM

Updated:: 2023/06/30 3:31 AM

Resolved:: 2023/06/01 7:58 PM