Requests from outside the cluster may have stale tokens and fail with status code 401
#1946
Labels
kind/bug
Categorizes issue or PR as related to a bug.
401
#1946
What happened
A request to Kubernetes from outside the cluster failed with status code
401
, even though the configuration had been loaded and previous requests had been successful.The traceback is
What you expected to happen
Given the
410 Unauthorized
response, we can safely assume that the problem lies with tokens and more specifically the way tokens are refreshed.The client has had an issue with tokens, namely issue #741, but it has been closed and (should have been) fixed by the kubernetes-client/python-base/pull/250 PR. Therefore no requests should be made with stale tokens and fail with
410 Unauthorized
.How to reproduce it
A minimal example is
That is, we
The tokens we receive from EKS have a TTL of 14 minutes (see also https://github.com/aws/aws-cli/blob/2.8.9/awscli/customizations/eks/get_token.py#L62). Therefore we sleep for 15 minutes waiting for the token to expire.
Before waiting both requests will succeed, but after waiting the first request will succeed and the second one will fail.
Note that what matters is which client makes the request first after the wait (not which client was created or made a request first before the wait). For example, if
api_2
makes the request first after the wait, then it will succeed andapi_1
will fail.Also note that we receive
410 Unauthorized
responses only when we make requestskube_config
.Anything else we need to know?
A closer look at the example shows that (under the hood) we
KubeConfigLoader()
),b. get a token and update the token (
token
) and expiration timestamp (expiry
) of the loader, andc. update the token (
api_key['authorization']
) of the default configuration (Configuration._default
),CoreV1Api()
), andb. set copies of the default configuration as their configuration,
b. update the token of the first client,
c. make a request with the first client (with the updated token), and
d. make a request with the second client (with the expired token).
Notice that we do not update the token of the second client.
When we make a request with a client, if the token of the loader is expired or expiring in 5 minutes or less, we
In the example, after the token expires,
To fix this issue, when a client makes a request, the loader should
The diff is
Environment
The text was updated successfully, but these errors were encountered: