[JENKINS-68557] BoundServiceAccountTokenVolume - Refresh Service Tokens - Jenkins Jira

Type: Bug
Resolution: Duplicate
Priority: Major
Component/s: kubernetes-plugin
Labels:
None
Environment:
Kubernetes 1.21+

Similar Issues:
Powered by SuggestiMate

Show
URL:
https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

This problem is already present in EKS. The Jenkins pods, are not refreshing their service token, so they must be killed every 90 days.

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21

https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

BoundServiceAccountTokenVolume graduated to beta and is enabled by default in Kubernetes version 1.21. This feature improves security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens now have an expiration of one hour. In previous Kubernetes versions, they didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following Kubernetes client SDKs refresh tokens automatically within the required time frame:

Go v0.15.7 and later
Python v12.0.0 and later
Java v9.0.0 and later
JavaScript v0.10.3 and later
Ruby master branch
Haskell v0.3.0.0
C# v7.0.5 and later

duplicates

JENKINS-68584 BoundServiceAccountTokenVolume - Refresh ServiceAccount Tokens

Closed

Assignee:: Vincent Latombe

Reporter:: Justin Seiser

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022-05-17 14:44

Updated:: 2023-01-30 08:16

Resolved:: 2023-01-30 08:16

Details

Description

Attachments

Issue Links

Activity

People

Dates