Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68557

BoundServiceAccountTokenVolume - Refresh Service Tokens

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • kubernetes-plugin
    • None
    • Kubernetes 1.21+

      This problem is already present in EKS. The Jenkins pods, are not refreshing their service token, so they must be killed every 90 days.

      https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21

      https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

      BoundServiceAccountTokenVolume graduated to beta and is enabled by default in Kubernetes version 1.21. This feature improves security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens now have an expiration of one hour. In previous Kubernetes versions, they didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following Kubernetes client SDKs refresh tokens automatically within the required time frame:
      
      Go v0.15.7 and later
      Python v12.0.0 and later
      Java v9.0.0 and later
      JavaScript v0.10.3 and later
      Ruby master branch
      Haskell v0.3.0.0
      C# v7.0.5 and later
      

            vlatombe Vincent Latombe
            jseiser Justin Seiser
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: