New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS 1.21/1.22][BoundServiceAccountTokenVolume] Refresh AWS service account tokens automatically #74
Comments
Hi @prashil-sophos, thanks for reaching out! |
Any update on this? |
@prashil-g the |
Hi @prashil-g , |
Thanks @mirii1994 I'll try upgrading to logzio/logzio-fluentd:1.1.1 |
After updating to new version we see surge in below type of logs in cloudwatch
Also pod is printing below error continuously |
@prashil-g I see that there was a PR in the plugin's repo to initialize pod watcher on 401. |
Thanks @mirii1994 for the quick response as always ! |
@prashil-g logzio/logzio-fluentd:1.2.0 is out. Please use that version. |
Describe the bug
I am using logzio/logzio-fluentd : 1.0.2 on AWS EKS 1.21 and received the following email from AWS:
`Description
We have identified applications running in one or more of your Amazon EKS clusters that are not refreshing service account tokens. Applications making requests to Kubernetes API server with expired tokens will fail. You can resolve the issue by updating your application and its dependencies to use newer versions of Kubernetes client SDK that automatically refreshes the tokens.
What is the problem?
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature [1] to beta and enabled it by default. This feature improves security of service account tokens by requiring a one hour expiry time, over the previous default of no expiration. This means that applications that do not refetch service account tokens periodically will receive an HTTP 401 unauthorized error response on requests to Kubernetes API server with expired tokens. You can learn more about the BoundServiceAccountToken feature in EKS Kubernetes 1.21 release notes [2].
To enable a smooth migration of applications to the newer time-bound service account tokens, EKS v1.21+ extends the lifetime of service account tokens to 90 days. Applications on EKS v1.21+ clusters that make API server requests with tokens that are older than 90 days will receive an HTTP 401 unauthorized error response.
We recommend that you update your applications and its dependencies that are using stale service accounts tokens to use one of the newer Kubernetes Client SDKs that refetches tokens.
If the service account token used is close to expiry (<90 days) and you do not have sufficient time to update your client SDK versions before expiry, then you can terminate existing pods and create new ones. This results in refetching of the service account token, giving you additional time (90 days) to update your client SDKs.
`
Similar issue is also reported in fluet-bit fluent/fluent-bit#5445. But i didnt see anything in fluentd github
To Reproduce
Deploy an logzio/logzio-fluentd : 1.0.2 pod on AWS EKS 1.21
Expected behavior
I think the fluentd pod should automatically refresh its IRSA credentials.
Your Environment
Version used:
AWS EKS 1.21
logzio/logzio-fluentd : 1.0.2
The text was updated successfully, but these errors were encountered: