Shorten re-read period for token files to work with ProjectedTokenVolumeSource #72437
+6
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
release-note
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Member
Author
|
/retest |
krmayankk
reviewed
Dec 30, 2018
| // refreshes a projected service account token and when the original token expires. | ||
| // Default token lifetime is 10 minutes, and the kubelet starts refreshing at 80% of lifetime. | ||
| // This should induce re-reading at a frequency that works with the token volume source. | ||
| period: time.Minute, |
There was a problem hiding this comment.
- Does this period control the client-go reload of the token after it has been refreshed by the kubelet ?
- Is it configurable ?
- If yes to 1, isnt this dependent on the
expirationSecondsin the projected volume ?
Member
Author
There was a problem hiding this comment.
It does control the refresh period. It is not configurable. expirationSeconds must be at least 10 minutes
Member
|
/lgtm |
k8s-ci-robot
added
¯\_(ツ)_/¯
This was referenced Jan 8, 2019
liggitt
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
k8s-ci-robot
added a commit
that referenced
this pull request
Jan 9, 2019
…7-upstream-release-1.13 Automated cherry pick of #72437: Shorten re-read period for token files to work with
k8s-ci-robot
added a commit
that referenced
this pull request
Jan 9, 2019
…7-upstream-release-1.12 Automated cherry pick of #72437: Shorten re-read period for token files to work with
Closed
39 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Fixes the token file cache period to be short enough to observe refreshed service account tokens before the original expires.
The original 5 minute window (actually 4 minutes because of the 1 minute leeway) could prevent reading a token refreshed 1 second after the last read and expiring 2 minutes later.
Does this PR introduce a user-facing change?:
/cc @mikedanese
/sig auth