vcluster icon indicating copy to clipboard operation
vcluster copied to clipboard

Published 20 hours ago verified publisher icon loft-sh

Refresh vcluster pod service account tokens

Open FabianKramm opened this issue 1 year ago • 1 comments

Right now we create a service account tokens that are valid for 10 years. Kubernetes was doing this similar up until 1.21 and then introduced expiring service account tokens. We should comply with this change and let our tokens expire similarly.

FabianKramm avatar Mar 22 '23 13:03 FabianKramm

+1 that a vcluster's SA tokens expire after 10 years opens up not only the vcluster, but also any services a vcluster relies upon - such as an external Vault instance, to an attack based on a lost token. The only mitigation is making sure that external services submit a TokenAccessReview to the API server to validate that a Pod is still running, but if a Pod is long lived this only offers limited protection.

mlbiam avatar Sep 29 '23 19:09 mlbiam