Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
Hi team,
Though the summary is about v2-0, I believe v2.2 still has the issue. The kubeconfig file that the istio-cni uses are generated by istio-cni-node Pod when it starts. The Pod if I understand correctly reads the token from /var/run/secrets/kubernetes.io/serviceaccount/token and writes it to the kubeconfig file. The problem is the token inside the kubeconfig file expires after one year, meaning the istio-cni-node has to be restarted every 365 days to generate a new token.
The token in kubeconfig file shows the exp timestamp points to the next year.
sh-4.4$ echo "eyJhbGciOiJSUzI1NiIsImtpZCI6InRON1lMZHFSakw1bTA4NG5pSmtYempMR0YtX19LY0hybkxjNlpWX3pUYXcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY5ODY2NTk4NCwiaWF0IjoxNjY3MTI5OTg0LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Im9wZW5zaGlmdC1vcGVyYXRvcnMiLCJwb2QiOnsibmFtZSI6ImlzdGlvLWNuaS1ub2RlLXZucXZwIiwidWlkIjoiMzQ5MjNiNjMtYjQ0My00MWY3LWIwZDktMGZiNTRkNTc3ZDMzIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJpc3Rpby1jbmkiLCJ1aWQiOiI2MTY5ZTY5Yy1lNzllLTRmZmItYTE1Mi00Njc2ZWYzOTdmMzIifSwid2FybmFmdGVyIjoxNjY3MTMzNTkxfSwibmJmIjoxNjY3MTI5OTg0LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LW9wZXJhdG9yczppc3Rpby1jbmkifQ.Xex0a0_TCZ3-gRXAC52vOQ0n44jGHJpG3IL940TxzYn-uTyWyLl0uS2EG7iPDeqdZNCvOLefd9a28fnO6FtN4LQFm94bm3bUAJDDneZXHAsoP2S0zFVxIbrpaDPWcB00kdKhzMMxs2Zhu6SmT6XSG7-tfQQ2CP8yHbUJ0byh2ThJy5OX_f-FgLM4GiOER7G_g_pb0VYaIVss0dvD9bzk1Ut9bo7VqAYccWynzE_0f0ozV3KdOgqIwvZrQMJCDkexzV71EE4dFt9JWVjtpfM_sTc_QtiZ3tQJXvyVI5aFai9UjicPJBCCIdVyb3HSBNDeNpJn8yewmVQfkI8DHi1FPZ0w-sfPYssKg6UkUlyIyc2MW1dLAswIZOaGp4GBNJYqaHy4Q3fJrIUJ49jzLEfqZqhWH9SgHRGqFkkuC-rR6aixAJyoBoX18WvOMtyDW2KfrD52Jy2cJIBwoHnWw6W304_BavkTW97ovnTFcT6OlypT_PNJdt34mWxjIpAYfOZPuEXUqE_7F9pIqu8Awtw3iq9omUJ30-V5-sadhN8oSnU7VRwKLJirDZGf3WK2qJDx-emkLyLzfVlMKKyyY20oOFKFiF5RPp5WdT6bHZdseQYWzhwdXBWTAFDWinx8dhEBqLUYub7Pu2-bAMN9ecnKu2VkfMC5czMbch9pIwHrSDo" | cut -d. -f2 | base64 -d 2>/dev/null | jq { "aud": [ "https://kubernetes.default.svc" ], "exp": 1698665984, "iat": 1667129984, "iss": "https://kubernetes.default.svc", "kubernetes.io": { "namespace": "openshift-operators", "pod": { "name": "istio-cni-node-vnqvp", "uid": "34923b63-b443-41f7-b0d9-0fb54d577d33" }, "serviceaccount": { "name": "istio-cni", "uid": "6169e69c-e79e-4ffb-a152-4676ef397f32" }, "warnafter": 1667133591 }, "nbf": 1667129984, "sub": "system:serviceaccount:openshift-operators:istio-cni" }
I think somewhere in the docs we need to warn the customer about this behavior otherwise the inject: true Pod will run into a such a problem:
(combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_test-pod(id): error adding pod test-pod to CNI network \"multus-cni-network\": [test/test-pod:v2-0-istio-cni]: error adding container to network \"v2-0-istio-cni\": Unauthorized