-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Kubernetes 1.21+
This problem is already present in EKS. The Jenkins pods, are not refreshing their service token, so they must be killed every 90 days.
https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
BoundServiceAccountTokenVolume graduated to beta and is enabled by default in Kubernetes version 1.21. This feature improves security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens now have an expiration of one hour. In previous Kubernetes versions, they didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following Kubernetes client SDKs refresh tokens automatically within the required time frame:
Go v0.15.7 and later
Python v12.0.0 and later
Java v9.0.0 and later
JavaScript v0.10.3 and later
Ruby master branch
Haskell v0.3.0.0
C# v7.0.5 and later
- duplicates
-
JENKINS-68584 BoundServiceAccountTokenVolume - Refresh ServiceAccount Tokens
-
- Closed
-