Loading...

This issue is archived. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Component/s: kubernetes-plugin
Labels:
- issue-exported-to-github
Environment:
Kubernetes 1.21+

URL:
https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

This problem is already present in EKS. The Jenkins pods, are not refreshing their service token, so they must be killed every 90 days.

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21

https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

BoundServiceAccountTokenVolume graduated to beta and is enabled by default in Kubernetes version 1.21. This feature improves security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens now have an expiration of one hour. In previous Kubernetes versions, they didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following Kubernetes client SDKs refresh tokens automatically within the required time frame:

Go v0.15.7 and later
Python v12.0.0 and later
Java v9.0.0 and later
JavaScript v0.10.3 and later
Ruby master branch
Haskell v0.3.0.0
C# v7.0.5 and later

duplicates

JENKINS-68584 BoundServiceAccountTokenVolume - Refresh ServiceAccount Tokens

Closed

Assignee:: Vincent Latombe
Reporter:: Justin Seiser

Created:: 2022-05-17 14:44
Updated:: 2025-12-02 22:41
Resolved:: 2023-01-30 08:16
Archived:: 2025-12-02 22:41

Details

Description

Attachments

Issue Links

Activity

People

Dates