console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon openshift

Stale ServiceAcccount token used

Open tymaoa2 opened this issue 2 years ago • 2 comments

k8s version: 1.23 openshift/console version: 4.12

After k8s v1.22, the SA token has lifetime & if the app has used stale token, it will be record in the audit log: "annotations":{"authentication.k8s.io/stale-token":"subject: system:serviceaccount:wkfl:default, seconds after warning threshold: 4291852"

ref: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md#tokenrequestprojection

After inspect the source code I think maybe the stale-token-used is because of below: https://github.com/openshift/console/blob/2561bbdf0e1c3f9bd13b53324c0b45938ef983a3/cmd/bridge/main.go#L320

App should reload the refresh token periodically, like 5 mins once as the k8s official recommend.

tymaoa2 avatar Nov 17 '23 08:11 tymaoa2

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Feb 15 '24 09:02 openshift-bot

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Mar 17 '24 00:03 openshift-bot

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-bot avatar Apr 16 '24 08:04 openshift-bot

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Apr 16 '24 08:04 openshift-ci[bot]