By using AWS re:Post, you agree to the Terms of Use
/Kubernetes projected service account token expiry time issue/

Kubernetes projected service account token expiry time issue

0

I'm using AWS EKS 1.21 with service account discovery enabled.
Created an OIDC provider, the .well-known/openid-configuration endpoint returns a correct configuration:

{
"issuer": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"jwks_uri": "https://ip-***.eu-west-1.compute.internal:443/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}

Created a ServiceAccount for one of my deployments and the pod gets this as projected volume:

volumes:
- name: kube-api-access-b4xt9
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace

The secret created for the ServiceAccount contains this token:

{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "sbx",
"kubernetes.io/serviceaccount/secret.name": "dliver-site-config-service-token-kz874",
"kubernetes.io/serviceaccount/service-account.name": "dliver-site-config-service",
"kubernetes.io/serviceaccount/service-account.uid": "c26ad760-9067-4d90-a327-b3d6e32bce42",
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}

The projected token mounted in to the pod contains this:

{
"aud": [
"https://kubernetes.default.svc"
],
"exp": 1664448004,
"iat": 1632912004,
"iss": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"kubernetes.io": {
"namespace": "sbx",
"pod": {
"name": "dliver-site-config-service-77494b8fdd-45pxw",
"uid": "0dd440a6-1213-4faa-a69e-398b83d2dd6b"
},
"serviceaccount": {
"name": "dliver-site-config-service",
"uid": "c26ad760-9067-4d90-a327-b3d6e32bce42"
},
"warnafter": 1632915611
},
"nbf": 1632912004,
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}

Kubernetes renew the projected token every hour, so everything looks fine.
Except the projected token "exp" field:
"iat": 1632912004 which is Wednesday, September 29, 2021 10:40:04 AM
"exp": 1664448004 which is Thursday, September 29, 2022 10:40:04 AM

So the problem is, that the projected token expiry time is 1 year, instead of around 1 hour, which makes Kubernetes effort to renew the token basically useless.
I searched for hours but was simply unable to figure out where this is coming from.
The expiration flag is passed to the kube-api server: --service-account-max-token-expiration="24h0m0s", so
my assumption is that this should be configured on the OIDC provider somehow, but unable to find any related documentation.

Any idea how to make the projected token expiry date around the same as the expirationSeconds in the pod projected volume?

asked 8 months ago6 views
2 Answers
0

It only happens when the "expirationSeconds" in the projected volume are set to 3607, any other value gives a token with the correct "exp" field. :)
Any idea?

answered 8 months ago
0
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions