New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BoundServiceAccountTokenVolume refresh token with EKS 1.21 #3757
Comments
+1 to this. |
Hi, |
Hello, Facing the same issue. |
Hello, |
Please describe the detail of the steps to reproduce what you did. Fluentd core itself doesn't aware k8s. k8s integration of Fluentd is completely done by third-party plugins, and they aren't controlled by our organization. So probably you need to forward your report to somewhere (fluent-plugin-kubernetes_metadata_filter?).
We don't aware such version of Fluend or Docker container. |
We'll continue this issue at fluent/fluentd-kubernetes-daemonset#1361 |
This issue has been addressed by fluent-plugin-kubernetes_metadata_filter: fabric8io/fluent-plugin-kubernetes_metadata_filter#337 |
To be compatible with BoundServiceAccountTokenVolume feature introduced in kubernetes 1.21. More details: * fluent/fluentd#3757 * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume * https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
To be compatible with BoundServiceAccountTokenVolume feature introduced in kubernetes 1.21. More details: * fluent/fluentd#3757 * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume * https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
To be compatible with BoundServiceAccountTokenVolume feature introduced in kubernetes 1.21. More details: * fluent/fluentd#3757 * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume * https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
* Update fluent-plugin-kubernetes_metadata_filter to 2.11.1 To be compatible with BoundServiceAccountTokenVolume feature introduced in kubernetes 1.21. More details: * fluent/fluentd#3757 * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume * https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21 * Update other gems * Update Gemfile Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Describe the bug
Hi,
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature [1] to beta and enabled it by default. This feature improves security of service account tokens by requiring a one hour expiry time, over the previous default of no expiration. This means that applications that do not refetch service account tokens periodically will receive an HTTP 401 unauthorized error response on requests to Kubernetes API server with expired tokens.
In our kubernetes audit logs we see that fluentd still using stale tokens
What I understand, that should be fixed by upgrading kubernetes client SDK to latest release as following
What did you expect to happen?
Fluentd to support BoundServiceAccountTokenVolume refresh token after upgrading to k8s 1.21
To Reproduce
install fluentd in kubernetes/eks cluster with version >= 1.21 and check the kubernetes audit logs for stale-token
Expected behavior
should have fixed the stale-token issue.
Your Environment
Your Configuration
Your Error Log
annotations.authentication.k8s.io/stale-token | subject: system:serviceaccount:logging:fluentd-forwarder, seconds after warning threshold: 53577
Additional context
No response
The text was updated successfully, but these errors were encountered: