Refresh token/api-key periodically

[aparamon]

Currently, authorization token/api-key is only initialized on loading config:
https://github.com/kubernetes-client/python-base/blob/bd9a8525e9215f7f01c32a321beb9a605cf0402b/config/kube_config.py#L420
https://github.com/kubernetes-client/python-base/blob/bd9a8525e9215f7f01c32a321beb9a605cf0402b/config/kube_config.py#L510
When working with Amazon EKS via aws-iam-authenticator though, token/api-key expires relatively quickly.

It is proposed to introduce a configurable option to specify token/api-key time-to-live. On API call the time should be checked, and if expired the token/api-key should be refreshed by calling https://github.com/kubernetes-client/python-base/blob/bd9a8525e9215f7f01c32a321beb9a605cf0402b/config/kube_config.py#L350 again.
Alternatively, API client could check for 401 Unauthorized return code and refresh token (at most once per API call).

[marsewe]

See also kubernetes-sigs/aws-iam-authenticator#63 and https://stackoverflow.com/questions/48151388/kubernetes-python-client-authentication-issue. Should the user of the client catch the 401 (and re-authenticate and retry) or is that a responsibility of the kubernetes-client?

[jmeickle]

Calling config.load_kube_config() again doesn't seem to recreate a token in my case, even though the corresponding kubectl command would have automatically done so. So I think there's some staleness check here that isn't actually occurring.

[houqp]

config for an existing client is cached unfortunately :( After calling load_kube_config, you will have to recreate a new api client to pick up the refreshed token. Currently, the expirationTimestamp returned from aws-iam-authenticator is ignored by KubeConfigLoader.

[wing328]

@houqp I wonder if you can send the patch upstream to OpenAPI Generator as that's what the project going to use moving forward to generate API clients: kubernetes-client/gen#93

[houqp]

Good call @wing328, do you know if #738 and kubernetes-client/gen#97 are the right PRs to watch?

[houqp]

@wing328 i have ported the patches to openapi-generator, could you help review them?

[roycaihw]

/assign

[roycaihw]

kubernetes-client/gen#97 is merged. We used openapi-generator in 11.0.0a1 release #931

[jdamata]

I'm using 11.0.0a1 but still getting intermittent 401's

{"asctime": "2019-11-13 14:38:33,384", "name": "k8s", "levelname": "INFO", "message": "Sleeping for 60 seconds"}
Traceback (most recent call last):
  File "src/main.py", line 57, in <module>
    drain.run()
  File "/opt/git/stratus/stratus-eks/worker_node_rolling_update/src/k8s.py", line 42, in run
    self.drain()
  File "/opt/git/stratus/stratus-eks/worker_node_rolling_update/src/k8s.py", line 33, in drain
    if check_node_drained(self.v1api, node):
  File "/opt/git/stratus/stratus-eks/worker_node_rolling_update/src/k8s_helper.py", line 117, in check_node_drained
    node_body = api.read_node(node_name)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/api/core_v1_api.py", line 20565, in read_node
    (data) = self.read_node_with_http_info(name, **kwargs)  # noqa: E501
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/api/core_v1_api.py", line 20649, in read_node_with_http_info
    collection_formats=collection_formats)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/api_client.py", line 335, in call_api
    _preload_content, _request_timeout)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/api_client.py", line 166, in __call_api
    _request_timeout=_request_timeout)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/api_client.py", line 356, in request
    headers=headers)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/rest.py", line 241, in GET
    query_params=query_params)
  File "/Users/damatj/.local/share/virtualenvs/worker_node_rolling_update-n2X_lDEC/lib/python3.7/site-packages/kubernetes/client/rest.py", line 231, in request
    raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'Audit-Id': '96bc2da9-40a0-42b8-9303-3a99b5d77db1', 'Content-Type': 'application/json', 'Date': 'Wed, 13 Nov 2019 19:39:33 GMT', 'Content-Length': '129'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

[athom]

11.0.0b2 also not work

   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 168, in read_pod
     return self._client.read_namespaced_pod(pod.name, pod.namespace)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 19078, in read_namespaced_pod
     (data) = self.read_namespaced_pod_with_http_info(name, namespace, **kwargs)  # noqa: E501
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 19169, in read_namespaced_pod_with_http_info
     collection_formats=collection_formats)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 335, in call_api
     _preload_content, _request_timeout)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 166, in __call_api
     _request_timeout=_request_timeout)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 356, in request
     headers=headers)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/rest.py", line 241, in GET
     query_params=query_params)
   File "/etc/airflow/.local/share/virtualenvs/airflow-bTdwlyD1/lib/python3.6/site-packages/kubernetes/client/rest.py", line 231, in request
     raise ApiException(http_resp=r)
 kubernetes.client.rest.ApiException: (401)
 Reason: Unauthorized
 HTTP response headers: HTTPHeaderDict({'Audit-Id': '685e7f66-8303-418c-9d1d-b82920ef2d0f', 'Content-Type': 'application/json', 'Date': 'Wed, 11 Dec 2019 04:12:24 GMT', 'Content-Length': '129'})
 HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[tbarrella]

/remove-lifecycle stale

[roycaihw]

OpenAPITools/openapi-generator#3594 was included in openapi-generator 4.1.1. Currently we are still using openapi-generator 3.3.4. We are tracking upgrading openapi-generator in the next major release: #1052, #1088

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[dinvlad]

/remove-lifecycle stale

[Uznick]

We have a similiar workaround as well. Works fine for now.

[dinvlad]

@houqp by looking at your code, it uses the default load_incluster_config() when running inside the cluster. Does it mean you only experience this issue with the default load_kube_config()? We're seeing it even with load_incluster_config(), if I'm reading that right.

Or maybe our "hanging" issue is actually not due to expired creds, but instead because of the TCP keepalive problem you mentioned there as well (thanks for indirectly bringing this to my attention!) 🤔

[dinvlad]

To more specifically expand on our issue (which might be slightly different from others' use of config loader here), we use load_incluster_config() for in-cluster cleanup operation, which in our case is the following pseudo-code:

from kubernetes.watch import Watch

def cleanup(namespace: str):
    """
    Watches for and deletes terminated Jobs.
    This function would not normally be needed if `ttlSecondsAfterFinished` worked.
    However, that feature is currently hidden behind an `alpha` flag in GKE.
    """
    load_incluster_config()
    api = BatchV1Api()
    events = Watch().stream(api.list_namespaced_job, namespace)
    for event in events:
        # cleanup logic

So our issue (if I'm not mistaken) is that no matter how credentials are fetched (either in-cluster or not), they seem to be "cached" in the config, and then stream() generator expires. I wonder if there's a more general way to implement a config client that refreshes credentials automatically.

Please correct me if that's what's already happening in load_incluster_config(), and our issue (watcher stops working after a while) is caused by something else (like the keepalive problem etc.)

[houqp]

@dinvlad my fix was only for out of cluster communication where auth goes through iam-authenticator. IIRC, in cluster communication uses builtin K8S auth, which doesn't have this problem.

[alexcristi]

Hi there! Any updates on this?

[kwlzn]

is anyone actively working on this issue? if not, my team at Twitter might try to take a stab at it soon.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dinvlad]

/remove-lifecycle stale