New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pod is still using old tokens after upgrade #1368
Comments
In my understanding, the fix in fluent-plugin-kubernetes_metadata_filter v2.11.1 is just a work around, not fully resolve the issue in desired way. |
So I'm considering to help releasing new version of kubeclient (ManageIQ/kubeclient#561 (comment)) but I also don't have enough time for it now... |
@ashie |
Hey, I implemented the workaround. What was stated in this issue is correct. It refreshes reactively, only when the token is expired. |
Thanks following up 👍 |
Hello @PettitWesley @ashie 👋 the token still refreshes reactively, correct? So there is no fix to avoid the stale token warnings in EKS for now? Btw, I'm running an EKS 1.21 and the following 2022-10-21 18:00:08 +0000 [info]: parsing config file is succeeded path="/fluentd/etc/fluentd.conf"
2022-10-21 18:00:08 +0000 [info]: gem 'fluentd' version '1.15.2'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-concat' version '2.5.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-dedot_filter' version '1.0.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-detect-exceptions' version '0.0.14'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '5.1.5'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-grok-parser' version '2.6.2'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-json-in-json-2' version '1.0.2'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '2.13.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-multi-format-parser' version '1.0.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-parser-cri' version '0.1.1'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-prometheus' version '2.0.3'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-record-modifier' version '2.1.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '2.4.0'
2022-10-21 18:00:08 +0000 [info]: gem 'fluent-plugin-systemd' version '1.0.5' |
@jorge-gyant Yea, the change I contributed (in 2.11.1 IIRC) is reactive. There was some discussion that making a change in the underlying ruby kube client library would allow proactive refreshes, I am not sure if anyone has worked on that. |
kubeclient 4.10.0 supports refreshing the token on every request (when |
@jorge-gyant I had the same problem, even with latest
|
Hi @ashie,
Do you know which release will have the kubeclient token fix? I'm currently testing with fluentd-daemonset v1.15.3 and I can't confirm which Thanks! |
v1.15.3 images use kubeclient 4.10.1.
|
Hi,
I am trying this: #1367
However, the token does not seem to be refreshed.
I am using
fluentd-kubernetes-daemonset:v1.14.6-debian-cloudwatch-1.1
in AWS EKS1.22
and I have checked, if it is using stale tokens.When the API server receives requests with tokens that are older than one hour, then it annotates the pod with
annotations.authentication.k8s.io/stale-token
. In my case I can see the following annotation. E.g.:annotations.authentication.k8s.io/stale-token subject: system:serviceaccount:amazon-cloudwatch:fluentd, seconds after warning threshold: 14655
I have also confirmed in the pod logs that the version of
fluent-plugin-kubernetes_metadata_filter
is2.11.1
.Pod Logs:
Fluentd Kubernetes Daemonset Version Info
fluentd-kubernetes-daemonset:v1.14.6-debian-cloudwatch-1.1
Cluster Details
AWS EKS 1.22
fluentd-kubernetes-daemonset:v1.14.6-debian-cloudwatch-1.1 deployed as Daemonset
Steps to reproduce issue
The text was updated successfully, but these errors were encountered: