-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Kubernetes >= 1.21
The BoundServiceAccountTokenVolume is now the default in Kubernetes >= 1.21, which basically implies that authentication done by service account tokens will need to refresh in an hour window, to keep working.
From a quick look at the code (https://github.com/jenkinsci/kubernetes-credentials-plugin/blob/master/src/main/java/org/jenkinsci/plugins/kubernetes/credentials/FileSystemServiceAccountCredential.java) and the AWS emails (which says which SAs are using tokens older than an hour), it seems that the ServiceAccount token is read only one time, so a logic to reload it will need to be implemented, and Kubernetes objects (deployment/statefulset and serviceaccount) will need to implement Service Account Token Volume Projection (https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
For now a workaround is to kill Jenkins pods before the Service Account token expires, in AWS EKS this is before 90 days, but it will vary between setups.
I have marked kubernetes-plugin and kubernetes-credentials-plugin as impacted, but anything that needs to communicate with Kubernetes API by ServiceAccount is potentially impacted, specially in a scenario that Jenkins is inside a Kubernetes cluster.
For more information, please relate to https://issues.jenkins.io/browse/JENKINS-68557.
- is duplicated by
-
JENKINS-68557 BoundServiceAccountTokenVolume - Refresh Service Tokens
- Closed