Kubernetes 预计服务帐户令牌到期时间问题
Kubernetes projected service account token expiry time issue
我正在使用启用了服务账户发现的 AWS EKS 1.21。
创建了一个 OIDC 提供商,.well-known/openid-configuration 端点 returns 正确配置:
{
"issuer": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"jwks_uri": "https://ip-***.eu-west-1.compute.internal:443/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
为我的一个部署创建了一个 ServiceAccount,并且 pod 将其作为预计量获取:
volumes:
- name: kube-api-access-b4xt9
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
为 ServiceAccount 创建的秘密包含此令牌:
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "sbx",
"kubernetes.io/serviceaccount/secret.name": "dliver-site-config-service-token-kz874",
"kubernetes.io/serviceaccount/service-account.name": "dliver-site-config-service",
"kubernetes.io/serviceaccount/service-account.uid": "c26ad760-9067-4d90-a327-b3d6e32bce42",
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}
安装到 pod 中的预计令牌包含:
{
"aud": [
"https://kubernetes.default.svc"
],
"exp": 1664448004,
"iat": 1632912004,
"iss": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"kubernetes.io": {
"namespace": "sbx",
"pod": {
"name": "dliver-site-config-service-77494b8fdd-45pxw",
"uid": "0dd440a6-1213-4faa-a69e-398b83d2dd6b"
},
"serviceaccount": {
"name": "dliver-site-config-service",
"uid": "c26ad760-9067-4d90-a327-b3d6e32bce42"
},
"warnafter": 1632915611
},
"nbf": 1632912004,
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}
Kubernetes 每小时更新一次投影令牌,所以一切看起来都很好。
除了投影令牌“exp”字段:
"iat": 1632912004 即 Wednesday, September 29, 2021 10:40:04 AM
"exp": 1664448004 即 Thursday, September 29, 2022 10:40:04 AM
所以问题是,预计令牌到期时间是 1 年,而不是大约 1 小时,这使得 Kubernetes 更新令牌的努力基本上没有用。
我搜索了几个小时,但根本无法弄清楚这是从哪里来的。
过期标志传递给kube-api服务器:--service-account-max-token-expiration="24h0m0s",所以
我的假设是,这应该以某种方式在 OIDC 提供程序上配置,但无法找到任何相关文档。
知道如何使预计令牌到期日期与 pod 预计数量中的 expirationSeconds 大致相同吗?
更新
只有当投影令牌 expirationSeconds 设置为默认 3607 值时,任何其他值都会在挂载令牌中给出正确的 exp,这真的很奇怪.
终于得到答案elsewhere。
cluster operators can specify flag --service-account-extend-token-expiration=true to kube apiserver to allow tokens have longer expiration temporarily during the migration. Any usage of legacy token will be recorded in both metrics and audit logs.
“3607”幻数是绑定服务帐户令牌安全推出计划的一部分,described in this kep。
实际人数hardcoded in the source code.
从 1.20 开始,--service-account-extend-token-expiration 标志默认为 set to true。
可以找到提到的 metric/log 信息 in the kep too and was implemented here。
要在 EKS 中查看这些日志需要 enable audit logging on the cluster,然后检查 Cloudwatch 中的相关日志条目。
我在 Cloudwatch Log Insight 中使用此查询来查找哪些 pods 不定期重新加载令牌:
filter @logStream like 'kube-apiserver-audit'
| filter ispresent(`annotations.authentication.k8s.io/stale-token`)
| parse `annotations.authentication.k8s.io/stale-token` "subject: *," as subject
| stats count(*) as staleCount by subject, `user.username`
| sort staleCount desc
我正在使用启用了服务账户发现的 AWS EKS 1.21。
创建了一个 OIDC 提供商,.well-known/openid-configuration 端点 returns 正确配置:
{
"issuer": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"jwks_uri": "https://ip-***.eu-west-1.compute.internal:443/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
为我的一个部署创建了一个 ServiceAccount,并且 pod 将其作为预计量获取:
volumes:
- name: kube-api-access-b4xt9
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
为 ServiceAccount 创建的秘密包含此令牌:
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "sbx",
"kubernetes.io/serviceaccount/secret.name": "dliver-site-config-service-token-kz874",
"kubernetes.io/serviceaccount/service-account.name": "dliver-site-config-service",
"kubernetes.io/serviceaccount/service-account.uid": "c26ad760-9067-4d90-a327-b3d6e32bce42",
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}
安装到 pod 中的预计令牌包含:
{
"aud": [
"https://kubernetes.default.svc"
],
"exp": 1664448004,
"iat": 1632912004,
"iss": "https://oidc.eks.eu-west-1.amazonaws.com/id/***",
"kubernetes.io": {
"namespace": "sbx",
"pod": {
"name": "dliver-site-config-service-77494b8fdd-45pxw",
"uid": "0dd440a6-1213-4faa-a69e-398b83d2dd6b"
},
"serviceaccount": {
"name": "dliver-site-config-service",
"uid": "c26ad760-9067-4d90-a327-b3d6e32bce42"
},
"warnafter": 1632915611
},
"nbf": 1632912004,
"sub": "system:serviceaccount:sbx:dliver-site-config-service"
}
Kubernetes 每小时更新一次投影令牌,所以一切看起来都很好。
除了投影令牌“exp”字段:
"iat": 1632912004 即 Wednesday, September 29, 2021 10:40:04 AM
"exp": 1664448004 即 Thursday, September 29, 2022 10:40:04 AM
所以问题是,预计令牌到期时间是 1 年,而不是大约 1 小时,这使得 Kubernetes 更新令牌的努力基本上没有用。
我搜索了几个小时,但根本无法弄清楚这是从哪里来的。
过期标志传递给kube-api服务器:--service-account-max-token-expiration="24h0m0s",所以
我的假设是,这应该以某种方式在 OIDC 提供程序上配置,但无法找到任何相关文档。
知道如何使预计令牌到期日期与 pod 预计数量中的 expirationSeconds 大致相同吗?
更新
只有当投影令牌 expirationSeconds 设置为默认 3607 值时,任何其他值都会在挂载令牌中给出正确的 exp,这真的很奇怪.
终于得到答案elsewhere。
cluster operators can specify flag --service-account-extend-token-expiration=true to kube apiserver to allow tokens have longer expiration temporarily during the migration. Any usage of legacy token will be recorded in both metrics and audit logs.
“3607”幻数是绑定服务帐户令牌安全推出计划的一部分,described in this kep。
实际人数hardcoded in the source code.
从 1.20 开始,--service-account-extend-token-expiration 标志默认为 set to true。
可以找到提到的 metric/log 信息 in the kep too and was implemented here。
要在 EKS 中查看这些日志需要 enable audit logging on the cluster,然后检查 Cloudwatch 中的相关日志条目。
我在 Cloudwatch Log Insight 中使用此查询来查找哪些 pods 不定期重新加载令牌:
filter @logStream like 'kube-apiserver-audit'
| filter ispresent(`annotations.authentication.k8s.io/stale-token`)
| parse `annotations.authentication.k8s.io/stale-token` "subject: *," as subject
| stats count(*) as staleCount by subject, `user.username`
| sort staleCount desc