BoundServiceAccountTokenVolume refresh token #1361
Comments
|
I believe that the Kubernetes client SDK needs to be updated. I'm trying to update an EKS cluster to 1.22 and this is preventing me from doing it. Here are the AWS docs about BoundServiceAccountTokenVolume |
|
👍 on this topic We are currently running latest version of fluentd-kubernetes-daemonset ( I believe this is not implemented yet in fluentd-kubernetes-daemonset due to this: ManageIQ/kubeclient#561 |
Yes, it's not implemented yet. I've described the current context at ManageIQ/kubeclient#561 (comment) |
|
@ashie are there any plans for such support? |
|
How about setting As I described at ManageIQ/kubeclient#561, it seems that it's already implemented, but not configured by default (the default value is |
|
@ashie I can give it a try. But I was expecting fluentd to be already using by default as I am not setting any other configuration to ensure fluentd authenticates in Kubernetes API. |
|
@ashie I have tried with that setting, although it still appears fluentd to be reusing an old token (probably it does not refresh token as expected?). For further info, here's the snippet of configuration I added to my fluent.conf: <filter kubernetes.var.log.containers.**.log>
@type kubernetes_metadata
bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token
</filter> |
Sorry, although it's implemented in master branch of kubeclient, it's not released yet. |
@ashie, Hi, |
|
The fix I contributed has been released: fabric8io/fluent-plugin-kubernetes_metadata_filter#323 (comment) fabric8io/fluent-plugin-kubernetes_metadata_filter#337 https://rubygems.org/gems/fluent-plugin-kubernetes_metadata_filter/versions/2.11.1 EDIT 🚨: Actually this may not work fully. SORRY :( I was still completing final testing and did not think the filter plugin folks would merge and release it until I had stated that my testing is complete. I am working on fixing this. Apologies to everyone. EDIT 2: I might have panicked too much... I think it does work my testing is just invalid and I need to redo it to fully validate. |
|
@ashie And others, please see my update above. |
|
Thank you for notifying it. I'll wait your report. |
|
@ashie It fully works! Sorry for the alarm! Testing details are in the PR: fabric8io/fluent-plugin-kubernetes_metadata_filter#337 |
|
I see, thanks for your effort! |
The main purpose of this change is updating fluentd-plugin-kubernetes_metadata_fileter to fix #1361 Signed-off-by: Takuro Ashie <ashie@clear-code.com>
The main purpose of this change is updating fluentd-plugin-kubernetes_metadata_fileter to fix #1361 Signed-off-by: Takuro Ashie <ashie@clear-code.com>
|
Now rebuilding images... |
|
Done. |
|
@ashie have you tried this? I used the tag |
|
Please see #1368 |
|
Thank you @ashie. I got it now, it only refreshes it after the 90 days actually. |
|
@ashie @hugomcfonseca Just to confirm since I was the implementor of the workaround, yes, it only refreshes reactively when the token is actually expired. To proactively refresh, a new release of the underlying Kubeclient package is required. |
|
Did the underlying kubeclient got updated? is there any way to make it refresh each hour to no longer have the stale-token annotation? |
Hi!
I builded the latest dockerfile for papertrail, but the latest kubernetes serviceaccount 1hour expiration token can't refreshed by the image.
How can it be solved?
The text was updated successfully, but these errors were encountered: